Rating: 1.0

MD5 in the URL is generated using `timestamp+filename`.

We can generate valid MD5 checksums and exploit server-side code for Local FIle Inlcusion.

The application runs on Flask, with **Python 3.5** and gunicorn.

In Python 3.5 server files are "cached" inside the `__pycache__` directory using `.cpython-35.pyc` extension.

We first retrieve `../__pycache__/__init__.cpython-35.pyc` and decompile it using `uncompyle6`.

The decompiled output can be seen here: https://gist.github.com/rkmylo/a6479fbb5ec8a434810b89c9ccf5924f.

The important line is: `from .conf import *`

We finally retrieve `../__pycache__/conf.cpython-35.pyc` and get the flag.

The flag is: `RCTF{Stop_reInventing_bROken_wheel}`

Original writeup (https://gist.github.com/rkmylo/7abcc7ba8a0807161a5903e7f4aa3633).