How I Parsed your JSON
Writeup for How I Parsed your JSON (Web) - CTF@CIT CTF (2025) 💜
Last updated
Writeup for How I Parsed your JSON (Web) - CTF@CIT CTF (2025) 💜
Last updated
"This is the story of how I defined your schema."
The flag is in secrets.txt
We are greeted by a FlaskMyAdmin
page, providing some basic instructions. First, we can make basic queries where the URL looks like http://23.179.17.40:58004/select?record=*&container=tasks
.
Secondly, we have some Getting Started
instructions.
Create a directory called containers
Create a file named after your table name (do not include .json)
Add your data in valid JSON format
Sounds like we need to modify the URL to create a directory first. I tried some different endpoints and request methods but it all failed. Maybe we can just read files?
Yep! So we can try the secrets.txt
.
However, it shows "Invalid query"
, which is probably due to comment on the page "File extensions will be removed from queries"
.
First, I simply try two extensions, assuming that the first may be stripped but not the second. Actually, it looks good! The output shows "Results from secrets.txt"
now, rather than "Results from secrets"
. It still says "Invalid query"
though 🤔
Maybe we should look for other important files. It's a Flask app, so let's try some common ones. Remember the double extension: /app/app.py.py
Notice the code for stripping file extensions and replacing ../
, we can easily bypass that with URL-encoding (%2e%2e%2f
) or even ..//
We don't need to though, the flag is in /app/secrets.txt.txt
Just visit http://23.179.17.40:58004/select?record=*&container=/app/secrets.txt.txt
Flag: CIT{235da65aa6444e27}