1.3 KiB
Difficulty
Hard
Category
Web
How to solve
The goal of this challenge is to see the photo uploaded by the administrator. It should be clear, given the source code, that a photo is automatically uploaded as part of the challenge.
After finding the first challenge, we have access to the caption of the administrator's photo, but not to the image itself. Unfortunately, the API route for getting the image itself checks for the correct permissions.
However, the frontend uses Next.js' Image component for showing images. This automatically optimizes and caches images. The application is served using nginx, which is configured in this case to "cache all the static assets". However, Next.js' static assets are served from /_next/static/, and not /_next/, which is also used by the image component at /_next/image. We can use this endpoint to get a cached version of the administrator's image, bypassing the authentication checks of the backend. You can also see this by playing around in the DevTools and seeing that the sources of the images go to /_next/image and not /api/photo/....
To get the image associated with the flag, visit http://localhost:3000/_next/image?url=%2Fapi%2Fphotos%2F1.jpeg
Flag
IGCTF{a-bIt-t00-0pt1mized}