## Try

#### REFERENCE

http://rawsec.ml/en/C3CTF-33-150-try-web/

#### Description

“I never try anything, I just do it!” Do

Flag is in /challenge/flag

#### Solution

And test the load and run function.
The load function will load the selected option's value as the path, and read the file.
The run function will run the specific file which the hidden input value shows. And it must be a valid haskell source code file.
ghc $_POST['run_file']  And try to using path traversal but failed. It will detect the beginning of the value, if it contains .. or ./../, reports Possible path traversal detected!. So we shall not load or run the file outside the directory. So try to find another way. Look at the upload page and profile page. The upload page is not implemented. And user can change their name and avatar on the profile page, and the only entrance. However, it can’t upload any files except gif. And the image size must larger than a small int. So try to upload a fake gif image. The gif image format starts with GIF89a. So try to construct a haskell program which starts with GIF89a. It's difficult until the contest ends. :) We can write as this: GIF89a = GIF89a{--} data GIF89a = GIF89a main = do contents <- readFile "/challenge/flag" print$ contents