![d0da79d65b1778fd5df79dbdbb01df9e.png](ffee40a21ce74c50915e2559bf6a33bf.png)
using `/help`
![627d2fb70585327cafb187bb85ac5089.png](e1dd70648337403ba82459c0fa6139e5.png)
Neat! Let's try
![24f081ef82707e3822bde8fb301e27d3.png](a97bb7d705844733bbb920296944c68f.png)
The bot has other commands. For example, `/credits`
![8f75271572366fd011a24b152d55bbcc.png](530ed40390d6469b9060ff0893972d60.png)
Alarm bells starting going off in my head immediately upon reading `ImageMagick`
`ImageMagick` is an open-source image processing software suite that, well, has had some issues in the past. There are quite a few exploits we can look at, but the main one that we're interested in for this case is
`CVE-2016-3717`
![d3a3d9ceb1db1d115dea9953096b37ae.png](72125707ae9b431e8c1c433fc8512565.png)
By passing in `@/opt/flag.txt` we're able to read the contents of the flag file. This works for any file that you know the location of and have permissions to view
![cbd2d70cfb8a6c70601536072ad3359b.png](d17194233a234a82a1c6892f747b44e7.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #imagmagick #CVE-2016-3717
Related: