I've been getting into this personal blog thing. It's been really fun but apparently you're not supposed to post certain info on the interwebs. Flag is at /flag.txt

tells us exactly where to find the flag, so all we have to do is find how to access it.

Trying simple path traversal attacks proved unsuccessful, so I went through the blogs on the front page. All of them held nothing of note, but there were two interesting details.

One, the background image was fetched using an endpoint that accepted a file name as an argument. A coincidence? I think not.

Two, the front page exposed three blogs, blog 1, 2 and 4. Where was three?

Trying to access it manually opened this page:

It was amusing, and while I played around with the pdf viewer in hopes of being able to find a way to access flag.txt, there were no results.

That changed once I checked the HTML of the page.

<! — i had to delete this bc it has my personal info on it :( →

<! — for documents in the 'other' folder only people with the API key has access →

An API key for sensitive documents? Solid gold. Using the attachment endpoint combined with "/flag.txt" as the file name (note the forward slash has to be present, I was tricked by it for a little while) along with the api key, I found the flag.

Thanks for reading, and see you next time!