The challenge downloads contained the server’s Dockerfile and Flask server script.

The server accepted an image in a POST request and echoed a resized version of the same image.

The Dockerfile builds upon the base image vulhub/ghostscript:9.23-python which is an intentionally vulnerable container image having an older version of the Pillow library (CVE-2018-16509).

Quick google leads us to the vulhub GitHub repository containing information about the CVE and a convenient exploit payload i.e a JPG image with Ghostcript containing RCE. I modified the RCE to open up a reverse shell to my server and found the flag inside the sqlite database for the app server.

Original writeup (https://arush15june.github.io/posts/2020-11-09-csaw-ctf-finals-2020-writeup/).