![d0da79d65b1778fd5df79dbdbb01df9e.png](ffee40a21ce74c50915e2559bf6a33bf.png) using `/help` ![627d2fb70585327cafb187bb85ac5089.png](e1dd70648337403ba82459c0fa6139e5.png) Neat! Let's try ![24f081ef82707e3822bde8fb301e27d3.png](a97bb7d705844733bbb920296944c68f.png) The bot has other commands. For example, `/credits` ![8f75271572366fd011a24b152d55bbcc.png](530ed40390d6469b9060ff0893972d60.png) Alarm bells starting going off in my head immediately upon reading `ImageMagick` `ImageMagick` is an open-source image processing software suite that, well, has had some issues in the past. There are quite a few exploits we can look at, but the main one that we're interested in for this case is `CVE-2016-3717` ![d3a3d9ceb1db1d115dea9953096b37ae.png](72125707ae9b431e8c1c433fc8512565.png) By passing in `@/opt/flag.txt` we're able to read the contents of the flag file. This works for any file that you know the location of and have permissions to view ![cbd2d70cfb8a6c70601536072ad3359b.png](d17194233a234a82a1c6892f747b44e7.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #imagmagick #CVE-2016-3717 Related: