Tags: misc web 

Rating: 5.0

# Pearl's U-Stor

**Category**: Web \
**Points**: 240 (21 solves) \
**Author**: zaratec

## Challenge


Attachments: `pearls-ustor.tar.gz` \
Site: http://pearl.pwni.ng/

## Overview

This is a simple flask web app that allows us to upload files, which are stored
in `/tmp/<cookie_id>/`.

Unfortunately, they used `secure_filename` so we can't put weird characters in
the filepath:
file_path = os.path.join(

However, they made a mistake that allows us to list arbitrary files:
file_list = os.listdir(os.path.join(app.config["TMP_FOLDER"], cookie_id))

By setting our `cookie_id` to `/` we can see that the app is hosted in a Cygwin
environment, and that the flag is stored in `/cygdrive/c/flag.txt`.


However, clicking on `flag.txt` gives


because of this:
if not os.path.exists(
os.path.join(app.config["TMP_FOLDER"], secure_filename(cookie_id), filename)
abort(404, description="Nothing here.")

## Solution

Exploit: Upload a `flag.lnk` symlink to `/cygdrive/c/flag.txt`

Walkthrough: https://youtu.be/yht7bpF0Ei0 (solved with ammar2, elnardu, and Exaphis)

Original writeup (https://github.com/cscosu/ctf-writeups/tree/master/2021/plaidctf/pearls_ustor).