Ottergram

Today we can see our favorite otters again, with the hint file inclusion.

So whenever I'm testing for File Inclusion, first thing I turn off is the filter in BurpSuite. By default it filters out png, css, etc... But usually this is where the vulnerability is. So after clicking a bit on the pictures (I did this because I suspected the pictures would be stored in an unsafe manner), I turned to Burp, turned off the filter and found something interesting.

A parameter ?file=whatever.png is golden. So I started there to find the bug.

I went from /flag.txt ...

... all the way to /../../../../flag.txt .

By then, I had 2 possibilities. Either I needed to obfuscate my payload with something like /./.././.././../flag.txt or I tried moving up from the path that was provided. I started testing with the latter.

And sure enough, with appending /../../../flag.txt to the original request, I found my flag! 🇧🇪

If appending should fail, and also obfuscating, you can also try both /uploads/otter2.png/./.././../flag.txt