The flag is at 3.23.56.243:9008. Unfortunately it seems like the site is down right now :( . Maybe you can ask someone for help? Don't blow up their inbox though :) and make sure you clearly tell them what you want. \--- Visiting the [site](http://3.23.56.243:9008/), we are presented the following message, and nothing else: ``` Website down! please contact IT for more information ``` Checking /robots.txt, we find some info: ``` USER AGENTS: * DISALLOW contactIT DISALLOW countdown ``` Visiting /contactIT, we get this message: ``` Post:Json Request Only ``` And /countdown returns some page with Pennywise in the background and the text "27 years." Heading into Burp Suite, we can send the request to /contactIT to the Repeater. Let's change the method to POST and resend the request: ```yaml POST /contactIT HTTP/1.1 Host: 3.23.56.243:9008 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ``` The response: ```html HTTP/1.1 415 UNSUPPORTED MEDIA TYPE Server: Werkzeug/3.0.1 Python/3.12.2 Date: Sun, 24 Mar 2024 20:05:59 GMT Content-Type: text/html; charset=utf-8 Content-Length: 215 Connection: close 415 Unsupported Media Type

Unsupported Media Type

Did not attempt to load JSON data because the request Content-Type was not 'application/json'. ``` Seems like we need to set the Content-Type header to "application/json". I also added some JSON into the data section to see if it'd produce a response: ```yaml POST /contactIT HTTP/1.1 Host: 3.23.56.243:9008 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 15 Content-Type: application/json {"years": "27"} ``` The response: ```html HTTP/1.1 500 INTERNAL SERVER ERROR Server: Werkzeug/3.0.1 Python/3.12.2 Date: Sun, 24 Mar 2024 20:10:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 15591 Connection: close TypeError: argument of type 'NoneType' is not iterable // Werkzeug Debugger

TypeError

TypeError: argument of type 'NoneType' is not iterable

Traceback (most recent call last)

*

File "/usr/local/lib/python3.12/site- packages/flask/app.py", line 1488, in `__call__`

) -> cabc.Iterable[bytes]: """The WSGI server calls the Flask application object as the WSGI application. This calls :meth:`wsgi_app`, which can be wrapped to apply middleware. """ return self.wsgi_app(environ, start_response) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
*

File "/usr/local/lib/python3.12/site- packages/flask/app.py", line 1466, in `wsgi_app`

try: ctx.push() response = self.full_dispatch_request() except Exception as e: error = e response = self.handle_exception(e) ^^^^^^^^^^^^^^^^^^^^^^^^ except: # noqa: B001 error = sys.exc_info()[1] raise return response(environ, start_response) finally:
*

File "/usr/local/lib/python3.12/site- packages/flask/app.py", line 1463, in `wsgi_app`

ctx = self.request_context(environ) error: BaseException | None = None try: try: ctx.push() response = self.full_dispatch_request() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ except Exception as e: error = e response = self.handle_exception(e) except: # noqa: B001 error = sys.exc_info()[1]
*

File "/usr/local/lib/python3.12/site- packages/flask/app.py", line 872, in `full_dispatch_request`

request_started.send(self, _async_wrapper=self.ensure_sync) rv = self.preprocess_request() if rv is None: rv = self.dispatch_request() except Exception as e: rv = self.handle_user_exception(e) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ return self.finalize_request(rv) def finalize_request( self, rv: ft.ResponseReturnValue | HTTPException,
*

File "/usr/local/lib/python3.12/site- packages/flask/app.py", line 870, in `full_dispatch_request`

try: request_started.send(self, _async_wrapper=self.ensure_sync) rv = self.preprocess_request() if rv is None: rv = self.dispatch_request() ^^^^^^^^^^^^^^^^^^^^^^^ except Exception as e: rv = self.handle_user_exception(e) return self.finalize_request(rv) def finalize_request(
*

File "/usr/local/lib/python3.12/site- packages/flask/app.py", line 855, in `dispatch_request`

and req.method == "OPTIONS" ): return self.make_default_options_response() # otherwise dispatch to the handler for that endpoint view_args: dict[str, t.Any] = req.view_args # type: ignore[assignment] return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ def full_dispatch_request(self) -> Response: """Dispatches the request and on top of that performs request pre and postprocessing as well as HTTP exception catching and error handling.
*

File "/app/webapp.py", line 26, in `submitted`

if request.method == 'POST': content = request.get_json() sender = content.get('email') messege = content.get('messege') f.setSender(sender) f.checkResponds(messege) ^^^^^^^^^^^^^^^^^^^^^^^^ else: return "Post:Json Request Only" return "Email Sent!" @app.route("/countdown")
*

File "/app/floaty.py", line 17, in `checkResponds`

def setSender(self, email): self.sendto = email #Check Responds for flag or fake def checkResponds(self, responds): if "flag" in responds: ^^^^^^^^^^^^^^^^^^ self.sendFlag() else: self.sendFake() #Send Flag if requested
TypeError: argument of type 'NoneType' is not iterable
This is the Copy/Paste friendly version of the traceback.
The debugger caught an exception in your WSGI application. You can now look at the traceback which led to the error. If you enable JavaScript you can also use additional features such as code execution (if the evalex feature is enabled), automatic pasting of the exceptions and much more.
Brought to you by **DON'T PANIC** , your friendly Werkzeug powered traceback interpreter.

Console Locked

The console is locked and needs to be unlocked by entering the PIN. You can find the PIN printed out on the standard output of your shell that runs the server.
PIN:
``` That's long... But, notably, after scrolling through, I noticed it seemed to be outputting the lines in the source code! Perfect. Let's try and write out what's going on, starting from line 139: This is /app/webapp.py: ```py def unknown_func(): if request.method == "POST": content = request.get_json() sender = content.get("email") messege = content.get("messege") f.setSender(sender) f.checkResponds(messege) else: return "Post:Json Request Only" return "Email Sent!" @app.route("/countdown") ``` And this is /app/floaty.py: ```py class unknown_class: def setSender(self, email): self.sendto = email #Check Responds for flag or fake def checkResponds(self, responds): if "flag" in responds: self.sendFlag() else: self.sendFake() #Send Flag if requested ``` Seems like we need to include a json object with an "email" and a "messege". The "email" should be one we can access, while the "messege" should just include the flag. Thus, the final request is as follows: ```yaml POST /contactIT HTTP/1.1 Host: 3.23.56.243:9008 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close Content-Length: 66 Content-Type: application/json { "email": "[email protected]", "messege": "flag" } ``` The response: ```html HTTP/1.1 200 OK Server: Werkzeug/3.0.1 Python/3.12.2 Date: Sun, 24 Mar 2024 20:16:55 GMT Content-Type: text/html; charset=utf-8 Content-Length: 11 Connection: close Email Sent! ``` Check your email for the flag! texsaw{7h15_15_7h3_r34l_fl46_c0n6r47ul4710n5} Original writeup (https://nightxade.github.io/ctf- writeups/writeups/2024/Texsaw-CTF-2024/web/ask-and-it-shall-be-given-to- you.html).