← Back to EHAX 2026

Borderline Personality

Web 50 pts

Challenge

"The proxy thinks it's in control. The backend thinks it's safe. Find the space between their lies and slip through."

  • URL: http://chall.ehax.in:9098/
  • Author: N0nchalantAc1d

Analysis

HAProxy sits in front of a Flask/gunicorn backend. The /admin/flag endpoint returns the flag but HAProxy blocks access with an ACL:

acl restricted_path path -m reg ^/+admin
http-request deny if restricted_path

This regex blocks any path starting with one or more slashes followed by literal admin.

Solution

URL-encode a character in "admin" to bypass the regex while Flask still routes correctly:

curl --path-as-is "http://chall.ehax.in:9098/%61dmin/flag"

HAProxy sees /%61dmin/flag which doesn't match ^/+admin. Flask/Werkzeug URL-decodes the path to /admin/flag and serves the flag.