ACM Cyber - UCLA

Simple Calculator - LFI

• The challenge was pretty straight forward which just displayed this

• Viewing the source gave us few tips to bypass the filtering

• This is a Flask web application which had several routes, the main interesting route was the source as it takes the user input using request.args.get() function and reads the file - If the file is not present it returns 500 Internal Server Error

• The most interesting part was - it currently takes app.py to display the source code and if it detects any sort of path travel sequences (../) it replaces it with "" - means nothing, basically strips it off

• In order to bypass it, we'll have to use 4 dots and 2 slashes as it strips of 2 dots and 1 slash

• And then cat out the /proc/self/environ file, why this file ? - as we can see the flag route in the source code which tells us the variable FLAG in the os.environ

83KB

CTF After Dark W23 Writeups.pdf

pdf