Indirect Payload - Writeup

Visiting the website we get this page:

When I clickked on the button, it redirected me to another url, and got error message. Hmmm… It seems as clicking the button results in an endless loop of redirection.

I then decided to see what is happening using burpsuite.

Everytime I sent a GET request to /flag.php site, I got new URLs instead. This was when I decided to follow it manually, and after 2 more redirections I could finally see the first character of the flag.

This is when I realized that the flag is scattered through all the URLs that I was forced to redirect to. To save time, I used this python script that follows the urls and prints the payload whenever there is.

After running the script, I was able to see whole picture.

I first saved the output to a file called “flag.txt” and then ran another python script that parses the output and prints the flag in the correct format.