CTFtime.org / Mapna CTF 2024 / Novel Reader 2 / Writeup

## Web/Novel reader 2 (104 solves)
> Submit the second flag of "Novel Reader" here

The same website also has another file we have to read inside `private/A-Secret-Tale.txt`

Looking at the word balance, we can seem to set negative values by purchasing `-100` words, for example.

The source code for reading the file is as follows:

```python
buf = readFile(name).split(' ')
buf = ' '.join(buf[0:session['words_balance']])+'... Charge your account to unlock more of the novel!'
```

If we make `session['words_balance']` equal to `-1` we can read the whole file!

I set my word balance to -1 and then use the path traversal vulnerability to read the file.

![Alert](https://seall.dev/images/ctfs/mapnactf2024/novel-reader-2.png)

Flag: `MAPNA{uhhh-y0u-607-m3-4641n-3f4b38571}`

**Files:** [novel-reader_d78366cb079727a6bd3809219df9bc7835d17fd1.txz](https://web.archive.org/web/20240121175613/https://mapnactf.com/tasks/novel-reader_d78366cb079727a6bd3809219df9bc7835d17fd1.txz)

Original writeup (https://seall.dev/posts/mapnactf2024#webnovel-reader-2-104-solves).

Novel Reader 2