office-press.md

office-press (web, easy)

TL;DR

The challenge involves a Wordpress instance, with a flag hidden in a file on the server. The intended solution is likely exploiting a RCE in one of the WP plugins, but... there is an easier way 😊

Looking around

Starting the container:

$ echo "shc2024{fake_flag}" >flag.txt
$ docker build -t office:latest .
$ docker run -p 8000:80 office:latest

The flag is exposed in plain sight

The Dockerfile is copying the flag with:

COPY ./flag.txt ./flag.txt

However, with php:7.4-apache as base image, this is happening in /var/www/html (defined as WORKDIR there).

... which means that the flag can be retrieved with a simple http://$URL/flag.txt 😊 - almost certainly an unintended solution.

The flag

shc2024{backup_software_to_the_rescue!}