Tags: web 

Rating:

I quickly started reading the Dockerfile and app.py. Quickly realised that the flag.txt was at / (from Dockerfile) and that the Flask web app would load custom css based on file at the given path from user. It became obvious that the objetive is to load thr flag.txt as custom css file and then view the it using the View Page Source option. The Dockerfile showed that the web app was running in /app directory. Now the challenge was to somehow reach /flag.txt without using '../' anywhere or '/' at the start. Now realising that '../' can't be used anywhere and '/' can't be used only in the beginning because the function returning after the error is what helped me solve the challenge. So I just put the path as `//flag.txt`.

![image](https://user-images.githubusercontent.com/121946596/254964425-f3065e9a-daab-4f8c-a44d-502f919946ec.png)

Thus the flag `amateursCTF{h1tt1ng_th3_r3curs10n_l1mt_1s_1mp0ssibl3}`.

Original writeup (https://gist.github.com/kn1-gh7/37282f568c293960917e1915bb3c445b#funny-factorials).