TPC (web, 310p, 33 solves) Description The challenge implements a simple python application taking an URL as parameter. It allows us to perform SSRF and local file disclosure.
Reading a file on the server is as simple as:
$ curl -s --output - 'http://188.8.131.52:8000/query?site=file:///etc/passwd' root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin [...] We first needed to be sure what the python code does. To find this out, we tried to find where it was located:
For this task, a very simple Python application and its source code is provided.
Analysis The application let us register, login, submit a link and edit a single field “note” that will be displayed on /profile.
The application code is pretty straightforward and allows us to insert markdown on our own profile page.
The python code responsible for markdown rendering (md2html) is the following:
@app.route("/update_notes", methods=["POST"]) @login_required def update_notes(): # markdown support!