# Personnel


- __Attachments:__ [app.py](resource/app.py)

# Resources
| File | Description |
|------|-------------|
| [app.py](resource/app.py) | Source code |

# Exploitation


Look at the [app.py](resource/app.py), We see that `flag` and `users` variable read file and `flag`'s values was appended to `users`. Look at route `/` there are two methods `GET`, and `POST` was accepted. In `POST` method, it qeury two variables, `name` and `setting` from `POST` request.

```python
#!/usr/bin/env python

from flask import Flask, Response, abort, request, render_template
import random
from string import *
import re

app = Flask(__name__)

flag = open("flag.txt").read()
users = open("users.txt").read()

users += flag

@app.route("/", methods=["GET", "POST"])
def index():
if request.method == "GET":
return render_template("lookup.html")
if request.method == "POST":
name = request.form["name"]
setting = int(request.form["setting"])
if name:
if name[0].isupper():
name = name[1:]

results = re.findall(r"[A-Z][a-z]*?" + name + r"[a-z]*?\n", users, setting)
results = [x.strip() for x in results if x or len(x) > 1]

return render_template("lookup.html", passed_results=True, results=results)

if __name__ == "__main__":
app.run()
```


We input `name`= `A.*` and `setting = 2`. So we will bypass if condition and we get full regex.
regex = `[A-Z][a-z]*?.*[a-z]*?\n` but at `[a-z]*?` is not matched with flag, so we need to ignore case sensitive for this case.
so we set setting = 2 similar [`re.IGNORECASE`](https://docs.python.org/3/library/re.html#:~:text=re.-,IGNORECASE,-%C2%B6)
# Flag

```
flag{f0e659b45b507d8633065bbd2832c627}
```

Original writeup (https://github.com/vichhika/CTF-Writeup/tree/main/NahamCon%20CTF%202022/Personnel).