# CTF-like vulnerable web app on Docker ## Intro This is a simple and lightweight challenge on CRLF injection. Learner has to enumerate and find exposed directories. Identify and exploit misconfiguration to escalate privileges and get the flag, located in `/home/flag.txt`. ## Walkthrough Navigate to http://localhost/. Currently front-end is not set and doesn't provide musch interest to the user.  Simple manual enumeration of directories may expose `/files` index and `/files/home` directory which gives redirect to users without the secret cookie.   In order to overcome the redirects and get access to the flag, user should take advantage of redirects and utilize the CRLF nginx vulnerability. *CR* and *LF* are special characters (also referred to as `\r\n`) that are used to signify the End of Line (EOL). In case of a web application `%0d%0a` - represent the CRLF characters and let the attacker to manupulate the HTTP responce, like adding a header or splitting response. Payload ` %0d%0aSet-Cookie:%20User=Admin` added to the URL on `/files/home` page would create a `User=Admin` cookie and would grant access to the `flag.txt`.