The challenge give you a mail with an archive as attachment encoded in base64. After decode it and extract it a ruby file popped out. Analyzing it the script is a kind of shell where the commands are sended by email’s field subject. You can signup your account (in this case a proper folder will be created), get your files inside your account, share files with other, create files, ecc… In these last cases the input were hard-filtered by regex so that you can input only alphanum chars. All filtered except the signup form. The vulnerability was very easy to find and exploit: since during signup the source mail weren’t filtered we could point our home directory to another one like this

asdasd/../../../..[email protected]

So now we basically pointed our home directory to /etc with asdasd/../../../..[email protected] account name (a fake mailer was used to accomplish this). Now create a new message with previous account where subject is: share passwd [email protected] Now just enter in [email protected] mail and get passwd for pick up the flag.

Razor4x