CTF Player Ranking Test
Beginner Hint 1: Overview of the Challenge
- In
POST /, you can read files under thechoicesdirectory. - The goal is to read
/flag.txt. - Strings like
../do not seem to be filtered, but the 5-character limit appears to prevent path traversal.
Beginner Hint 2: How to Approach the Challenge
- The code assumes that
req.body.choicesis a string, but is that really true? - However, you cannot send JSON. You need to send the body as
application/x-www-form-urlencoded.