Note

Second web challenge from the RushCTF 2023.

Description

Hey what do you think about my blog?

Hint: where are password’s stored?

Recon

The main page is a beautiful default blog page, nothing much to do here

If we look around and try to see posts, we can see that they’re fetched through a GET parameter:

Exploitation

This kind of parameter is usually vulnerable to LFI, which would allow us to render any file from the server. Since the hint talks about where the passwords are stored, let’s try to read /etc/passwd

We can see it worked correctly, and we got the flag ! GG !