My friend made a file storage website that he says is super secure. Can you prove him wrong and get the admin password?

After we sign up and login, the website allows us to upload files from URLs. At first, I tried to upload some php scripts, however php is disabled at the web server. Still, I noticed that uploaded files are under /files directory. Since the hint was “Can’t solve it? Git gud.”, I just wanted to check if .git folder exists under /files directory.

So, we have an existing git repository on the server. I dumped it using gitdumper and got the application’s source code.

The admin user’s password is the flag. Now, we need to find a way to leak that password.

Let’s check the code snippet which is commented as beta feature. It basicly returns the given user’s posted field. I decided to check this feature.

It worked for the username but failed for the __password. Why did it fail? We need to understand how python interpreter works for the double underscore.

Python replaces __field with _classname__field. Therefore we need to read the field _user__password.

Here is our flag actf{2_und3rsc0res_h1des_n0th1ng}.