Rating: 1.0
MD5 in the URL is generated using `timestamp+filename`.
We can generate valid MD5 checksums and exploit server-side code for Local FIle Inlcusion.
The application runs on Flask, with **Python 3.5** and gunicorn.
In Python 3.5 server files are "cached" inside the `__pycache__` directory using `.cpython-35.pyc` extension.
We first retrieve `../__pycache__/__init__.cpython-35.pyc` and decompile it using `uncompyle6`.
The decompiled output can be seen here: https://gist.github.com/rkmylo/a6479fbb5ec8a434810b89c9ccf5924f.
The important line is: `from .conf import *`
We finally retrieve `../__pycache__/conf.cpython-35.pyc` and get the flag.
The flag is: `RCTF{Stop_reInventing_bROken_wheel}`