## Web/Novel reader (119 solves)  
> We have many fun novels for ya...

The website seems to be an article reader with one article we cannot read, and
we can only read a few words with our balance.

![Home Page](https://seall.dev/images/ctfs/mapnactf2024/novel-reader-1.png)

I look into the web request for the article reading and the source code has
the following segment:

```python  
name = unquote(name)  
if(not name.startswith('public/')):  
return {'success': False, 'msg': 'You can only read public novels!'}, 400  
```

`unquote` from `urllib.parse` and does URL decoding, so we can avoid that with
layering of url encoding. Eg. `%2e` -> `%252e`

We then see that the path has to start with `public/` to be read.

We can achieve path traversal to read the flag using the following payload:
`public/%252e%252e/%252e%252e/flag.txt`

Making the final web request to
`/api/read/public/%252e%252e/%252e%252e/flag.txt` gives us the flag.

Flag: `MAPNA{uhhh-1-7h1nk-1-f0r607-70-ch3ck-cr3d17>0-4b331d4b}`

**Files:** [novel-
reader_d78366cb079727a6bd3809219df9bc7835d17fd1.txz](https://web.archive.org/web/20240121175613/https://mapnactf.com/tasks/novel-
reader_d78366cb079727a6bd3809219df9bc7835d17fd1.txz)  

Original writeup (https://seall.dev/posts/mapnactf2024#webnovel-
reader-119-solves).