Siunam's Website

My personal website

Home About Blog Writeups Projects E-Portfolio


Table of Contents

  1. Overview
  2. Background
  3. Enumeration
  4. Exploitation
  5. Conclusion



Do you speak the language of the flags?


Index page:

In here, we can get the translated version of the word “Hello world” from English to many different languages:

Burp Suite HTTP history:

When we selected a country, it’ll send a GET request to /view with parameter name country and value <your_selected_country> asynchronously.

By playing around, I found that there’s a “country” called Flagistan:

When I select that option, it just gave me the flag??

Uhhh… Pretty sure its unintended?…

To figure out why, let’s dive into the source code of this web application.

In this challenge, we can download a file:

└> file Zip archive data, at least v2.0 to extract, compression method=deflate
└> unzip   
  inflating: Dockerfile              
  inflating: package.json            
  inflating: package-lock.json       
   creating: src/
  inflating: src/index.html          
  inflating: src/app.js              
  inflating: src/countries.yaml      
   creating: src/assets/
  inflating: src/assets/style.css    
  inflating: src/assets/flag.js      

By viewing the source code, we can figure out how the application is working.

src/app.js, GET method route /:

const crypto = require('crypto');
const fs = require('fs');
const path = require('path');
const express = require('express');
const cookieParser = require('cookie-parser');
const yaml = require('yaml');

const yamlPath = path.join(__dirname, 'countries.yaml');
const countryData = yaml.parse(fs.readFileSync(yamlPath).toString());
const countries = new Set(Object.keys(countryData));
const countryList = JSON.stringify(btoa(JSON.stringify(Object.keys(countryData))));

const isoLookup = Object.fromEntries([...countries].map(name => [
  {...countryData[name], name }
app.get('/', (req, res) => {
  const template = fs.readFileSync(path.join(__dirname, 'index.html')).toString();
  const iso = req.signedCookies.iso || 'US';
  const country = isoLookup[iso];
      .replaceAll('$msg$', country.msg)
      .replaceAll('$iso$', country.iso)
      .replaceAll('$countries$', countryList)

In this route, it’ll lookup the country code (ISO 3166-1) based on our cookie name iso’s value. If there’s no cookie named iso, it’ll just use US by default.

The countryData YAML data can be read on src/countries.yaml:

%YAML 1.1
  iso: FL
  msg: "<REDACTED>"
  password: "<REDACTED>"

# i love chatgpt translation :3
  iso: AF
  msg: سلام دنیا
  deny: []

As you can see, there’s a country called Flagistan, and its ISO is FL. Also, the msg and password is <REDACTED>? Maybe they contains the real flag??

Hmm… But there’s a deny list for all countries ISO? What’s that?

src/app.js, GET method route /view:

app.get('/view', (req, res) => {
  if (! {
    res.status(400).json({ err: 'please give a country' });
  if (!countries.has( {
    res.status(400).json({ err: 'please give a valid country' });
  const country = countryData[];
  const userISO = req.signedCookies.iso;
  if (country.deny.includes(userISO)) {
    res.status(400).json({ err: `${} has an embargo on your country` });
  res.status(200).json({ msg: country.msg, iso: country.iso });

In this route, when GET parameter country is provided and is a valid country, it’ll return the countryData object’s msg and iso attribute.

However, there’s a caveat. When our cookie iso is in the country’s deny list, it’ll return <country_name> has an embargo on your country. Otherwise, return the country’s msg and iso.

Ahh, I see what’s that deny list in the YAML file.


So, to get the flag, we can just send a GET request to /view with parameter country=Flagistan without any cookies.

In my case, when I first explore the web application, there’s no cookies have been set:

Which is very weird, the iso cookie should be set when I first visited the index page (/).

Anyway, based on the information in above, we can get the flag!

└> curl

(Get the flag in a beautiful way using jq):

└> curl -s | jq -r '.msg'


What we’ve learned:

  1. Bypassing restriction with no cookies