Taking a look at the website, it seems simple enough. You type in text, hit the “Create” button, and it renders the text below. Let’s probe for Flask injection:
Interesting. At first glance it may look as if Flask injection won’t get anywhere. But as with any web challenge, we should look at the source, and in this case, what “Create” is doing:
/notes? Let’s check it out.
So we can see that Flask injection works after all. Since we are given that the flag is at
/flag, we start probing for a File class of sorts. (see captions for injections)
No File class that I can see, but this
os._wrap_close seems more interesting, since we might be able to access methods from the
os module. Let’s look inside:
There are probably several ways to go from here, but one way is to use the
popen method to
cat the flag.
And there it is.