picoCTF 2022 | Forbidden Paths Write-up

Challenge description

Can you get the flag? Here’s the website. We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?

Category: Web Exploitation


First, I tried to input /flag.txt, but that sadly doesn’t work. After a few minutes of contemplation, I suddenly recalled how web browsers can be used as file browsers by simply replacing https:// with file://, followed by a destination (file:///, for example, will show you the contents of your root directory).

So I tried to input file:///flag.txt instead and voila!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: