rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
CTF: BUCKEYE2024
Challenges
- Web
- SFSS
WEB
SFSS
-
The web app is vulnerable to path traversal which involves using the dot-dot slash characters to read a file.The route
downloadcontains the sink code.@app.route('/download/<path:file_id>') def download(file_id): file_id = filter_file_id(file_id) if file_id is None: return {'status': 'error', 'message': 'Invalid file id'}, 400 if not os.path.exists('uploads/' + file_id): return {'status': 'error', 'message': 'File not found'}, 404 if not os.path.isfile('uploads/' + file_id): return {'status': 'error', 'message': 'Invalid file id'}, 400 return send_file('uploads/' + file_id, download_name=f"{file_id}.{file_exts.get(file_id, 'UNK')}") -
The
send_file()function is vulnerable to path traversal if the file value can be controlled by an attacker.Thedownloadroute in this case passes thefile_idpath variable into send file.We can control the path to read the flag file.return send_file('uploads/' + file_id, download_name=f"{file_id}.{file_exts.get(file_id, 'UNK')}")
Exploitation
- I forced curl to include the characters
../in a request without interpreting it with the--path-as-isoption and read the file/etc/passwd.
- Flag-:
bctf{4lw4y5_35c4p3_ur_p4th5}