knowledge-archive
SRC:https://library.m0unt41n.ch/challenges/knowledge-archiveHoly, this one is easy but took some time. I first was a lil sussed out about the AI Reable Data stuff (a hmac using flag as key) and all the file read/writes or even the popen & glob usage... but this was all a red herring. Also this whole config stuff was hella sussy, we can control inputs into a file containing the flag, but it wasn't as obvious how to exploit this.
The actual vuln is within how ConfigParser works.. it uses BasicInterpolation, which means we can use placeholders like %(somekey)s which then will be replaced by said key if it exists in the config.
Since we know from earlier analyzation that we control title/content and we can basically inject anything into the config... we also know that we copy the default config containing the flag, we will just use the flag place holder, %(flag)s and place it into content field for example.
