I made this awesome pastebin clone. Everyone knows that Go is super secure and still unhacked to this day.
The service that implements the interaction with the filesystem (i.e. filesystem/filesystem.go)
is vulnerable to a path traversal attack.
There are a coiple of gotchas that permit this in Go.
filepath.Clean does not remove .. from a path if it doesn't begin with a / (i.e. the path isn't rooted) as one can see in the official docs.
// name is user-controlled, so it may not begin with a slash.
filepath.Join(p.BasePath, filepath.Clean(name))Before passing the path to the os.Open function there is a function
that replaces everything that matches a blocklist with a empty string.
This simple (and insecure) filter can be abused sending a path containing ....//,
which results in ../.
Sending a request along the lines of this reveals the flag:
http://havcebin.chals.beginner.havce.it:8080/paste?key=....//....//....//....//home/havcebin/flag.txt
Make sure the path passed to filepath.Clean starts with a slash (/).
havceCTF{d0t_d0t_d0t_d0t_s14sh_s1l4sh_k1nd4_un3xpec13d}