CTFs://RuSec 2026 – Web/SWE Intern at Girly Pop Inc
This is an easy challenge that involves improper access control trough a path traversal vulnerability and exposure of sensitive information with a Git repository.
The Webapp Recon
We land on a page that let’s us generate JWT tokens. Nothing special on this page.
On the API Docs page, we can find some information about a internal file viewer that is restricted to the static directory. This hint’s us that there is probably a path traversal vulnerability to exploit and access the underlying file system if not properly secured.
Having a look at the last page that is System Status, it is indicated that there is a deployment automated via git hooks, hence the presence of a git repository.
The Exploit
Trying some paths with the page query parameter we are able to download a HEAD file and confirm the existence of the repository.
From there we can use a tool such a git-dumper to try to retrieve the contents of the repository.
Then with further inspection we can spot a commit that indicated “removed flag” along with a previous initial commit. We can switch to that previous commit. This is pretty straightforward.
After the switch we are able to restore the file with the flag and read it’s contents.
Leave a Reply