https://web-static-file-server-9af22c2b5640.2023.ductf.dev/files/not_the_flag.txt ->

```
The real flag is at /flag.txt
```

https://web-static-file-server-9af22c2b5640.2023.ductf.dev/flag.txt ->

```
404
```

Web source code
```python
from aiohttp import web

async def index(request):
    return web.Response(body='''
        <header><h1>static file server</h1></header>
        Here are some files:
        <ul>
            <li><img src="/files/ductf.png"></img></li>
            <li><a href="/files/not_the_flag.txt">not the flag</a></li>
        </ul>
    ''', content_type='text/html', status=200)

app = web.Application()
app.add_routes([
    web.get('/', index),

    # this is handled by https://github.com/aio-libs/aiohttp/blob/v3.8.5/aiohttp/web_urldispatcher.py#L654-L690
    web.static('/files', './files', follow_symlinks=True)
])
web.run_app(app)
```

Dockerfile:
```docker
FROM python:3.10

WORKDIR /app
COPY app.py .
COPY flag.txt /flag.txt
COPY files/ files/

RUN pip3 install aiohttp

RUN /usr/sbin/useradd --no-create-home -u 1000 ctf
USER ctf

CMD ["python3", "app.py"]
```

=> Flag in root dir 

=> need to make the server read the arbitrary file


Wenn wir symlinks erstellen könnten können wir einen symlink ins root verzeichnis erstellen