Leak some secret configuration variables
Difficulty: Medium
UnicornBox stores some configuration variables in a config.yml
file in a folder separate from the users’ files: The layout of the server storage is as follows:
site/
file/
foo1.txt
foo2.txt
...
config/
config.yml
Your task: Gain access to the secrets stored within config.yml
.
Tip: Most browsers modify URLs before they are truly actually sent to the server. If you are having trouble determining what URLs are sent to the server, consider using the Network tab of your browser’s debugger.
Tip: What happens if you try to access a file that your user account doesn’t have access to? Consider what has to be true before a file is “served” from the file system in this website.