Crazy Train [Web – 250 Points]- RITSEC CTF

Challenge Description

Author: hulto

I try many different vulnerable task at this challenge. but it not work. I notice this is hidden value article[a] . i try to insert input aaaaaaaaaaaaa it not work. but  when i insert the number 111111 it work.

So i try to use arithmetic calculation.

2 + 4 # not work

2 * 4 # work

5 / 2 # work

After searching google. it is Server Side Template Injection but there are many language there. ruby, python, php, java

it useful link

I found this link and read it.

To read /etc/passwd

<%='/etc/passwd').read %>

Yeah! it work.

Ok. Time to read flag.txt

<%='flag.txt').read %>

The flag is

RITSEC{[email protected]_bad_idea}


Note: There are nice trick to search directory. Credit to Aj Dumanhug.

<%= Dir.entries('.') %>

Thanks for reading.