Description
The site blocks absolute paths but still reads files relative to the web root. Use directory traversal (`../../../../flag.txt`) to bypass the filter.
Setup
Submit filenames through the form.
Absolute paths like `/flag.txt` are rejected, so supply a relative traversal path: `../../../../flag.txt`.
Solution
- Step 1Understand the constraintThe prompt reveals the webroot (`/usr/share/nginx/html`) and that the actual flag is `/flag.txt`.
- Step 2Traverse upwardEntering `../../../../flag.txt` climbs out of the webroot and reads the real flag file.
Flag
picoCTF{7h3_p47h_70_5ucc355_e5fe3d4d}
Classic path traversal-relative paths often slip past simple filtering.