daffainfo
/
ctf-writeup
mirror of https://github.com/daffainfo/ctf-writeup.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ctf-writeup/2023/NewportBlakeCTF 2023/Galleria
History
daffainfo e6c48e50f1 feat: grouped the challs 2024-01-09 16:59:32 +07:00
..
images feat: grouped the challs 2024-01-09 16:59:32 +07:00
README.md feat: grouped the challs 2024-01-09 16:59:32 +07:00

README.md

Galleria

Put up some fun images for everyone in this amazing image gallery!

About the Challenge

We were given a web and a source code, the web has many functionalities such as:

  • We can upload an image
  • We can read arbitrary file

Here is the preview of the website

preview

How to Solve?

If we check the Dockerfile file, the flag was located in /tmp/flag.txt and because we can read any file using /gallery endpoint

@app.route('/gallery')
def gallery():
    if request.args.get('file'):
        filename = os.path.join('uploads', request.args.get('file'))
        if not check_file_path(filename):
            return redirect(url_for('gallery'))

        return send_file(filename)

    image_files = [f for f in os.listdir(
        app.config['UPLOAD_FOLDER'])]
    return render_template('gallery.html', images=image_files)

We can read the flag using this payload

flag

nbctf{w0nd3rh0000yyYYyYyyYyyyYyYYYyy!}