Leak some secret configuration variables

Difficulty: Medium

UnicornBox stores some configuration variables in a config.yml file in a folder separate from the users’ files: The layout of the server storage is as follows:

site/
  file/
    foo1.txt
    foo2.txt
    ...
  config/
    config.yml

Your task: Gain access to the secrets stored within config.yml.


Tips

  • Most browsers modify URLs before they are truly actually sent to the server. If you are having trouble determining what URLs are sent to the server, consider using the Network tab of your browser’s debugger.

  • If you need to encode certain characters (this is not required, but might be helfpul for some people), check out some HTML URL encodings.

  • What happens if you try to access a file that your user account doesn’t have access to? Consider what has to be true before a file is “served” from the file system in this website.

  • The Path Traversal lecture slides may be helpful.