Can you identify a way to bypass our login logic? MD5 is supposed to be a one-way function right?
The web allows us to read files which absolute path length is less or equal than 10.
We also know that there is an opened file descriptor that includes the flag.
What is a file descriptor?
File descriptors are an abstract indicator used to access a file (or other I/O resource). Generally they are represented as a number and they point to the actual file.
In linux they can be stored in two different places:
We can read local files as I explained, we could try reading the open file descriptor, but keep the length in mind:
We can’t exceed 10 characters, so
/dev/fd/ may be the way to go. Bruteforcing from
/dev/fd/99 we get the flag.