Table of contents
No headings in the article.
We need to login as admin.
Look at cookie name _letmein_session → Web uses framework Ruby on Rails
Path traversal at /static?image=… → Read /proc/self/environ → Get SECRET_KEY_BASE → It’s used to encrypt and sign user’s session → Idea: forge session to become admin.
Look at endpoint login /users/sign_in → The web may use devise - a well-known library for auth on Ruby on Rails, or you can use path traversal to read Gemfile to confirm, you can read source code.
What are inside the session used by devise? There are userid and half of user password’s hash (Check devise source code for details)
Use directory bruteforce → Found /data/debug → Off-by-slash → /data../?order=ASC → SQL Injection → Found admin’s userid and half of admin password’s hash → Forge admin session and login as admin → Get the flag.