Tags: path-traversal unintended web
We noticed the application uses `dotenv` to store the flag and also found a path traversal vulnerability (unintended by the author)
`dotenv` fetches values from a file called `.env`. So we can get the flag by fetching this file!
curl --path-as-is https://cookie-recipes-v2.2020.redpwnc.tf/../../../../../../../app/.env