https://web-static-file-server-9af22c2b5640.2023.ductf.dev/files/not_the_flag.txt ->
The real flag is at /flag.txt
https://web-static-file-server-9af22c2b5640.2023.ductf.dev/flag.txt ->
404
Web source code
from aiohttp import web
async def index(request):
return web.Response(body='''
<header><h1>static file server</h1></header>
Here are some files:
<ul>
<li><img src="/files/ductf.png"></img></li>
<li><a href="/files/not_the_flag.txt">not the flag</a></li>
</ul>
''', content_type='text/html', status=200)
app = web.Application()
app.add_routes([
web.get('/', index),
# this is handled by https://github.com/aio-libs/aiohttp/blob/v3.8.5/aiohttp/web_urldispatcher.py#L654-L690
web.static('/files', './files', follow_symlinks=True)
])
web.run_app(app)
Dockerfile:
FROM python:3.10
WORKDIR /app
COPY app.py .
COPY flag.txt /flag.txt
COPY files/ files/
RUN pip3 install aiohttp
RUN /usr/sbin/useradd --no-create-home -u 1000 ctf
USER ctf
CMD ["python3", "app.py"]
=> Flag in root dir
=> need to make the server read the arbitrary file
Wenn wir symlinks erstellen könnten können wir einen symlink ins root verzeichnis erstellen