The challenge gave us this link:

http://uploader.earth.tasks.ufoctf.ru/?fileid=dcfd9cbaee181d457598465297b662814d19cff1

Inside this you find the download link of the requested file and the chiper used to encrypt it and other fields. At first glance the vulnerability could be a LFI or a SQLi but looking further through the download link:

http://uploader.earth.tasks.ufoctf.ru/secret_uploads/dcfd9cbaee181d457598465297b662814d19cff1/TopSecret_Report_For_You_MrLOL.txt

you can see the path where the file is. So now as you may guessed the vulnerability was HTTP indexing basically. Infact you can browse the directories easly and after that I found and interesting file uploader.earth.tasks.ufoctf.ru/secret_uploads/f6140944d4fa3976ef04f81792d2c88562872a2d/Mr.LOL_earth.documents.zip

Now there is another problem: the aes-cbc-256 encryption of the text. Inside every directory there is a file called ._secret where inside this you can find the key to decrypt the content of the file. So now its a cake:

openssl enc -d -aes-256-cbc -in Mr.LOL_earth.documents.zip -out a.zip

Now just unzip and open the image to see flag…

Razor4x