The VulnScanner challenge in Snyk Fetch the Flag 2025 tasked participants with exploiting an HTTP server to read a flag.
The server was written in Go and allowed users to define HTTP test specifications using YAML templates.
The participant analyzed the provided source code and discovered two main endpoints: one for uploading YAML templates and one for downloading files from the server.
The participant noticed that the HandleTemplateDownload handler did not properly sanitize file paths, enabling path traversal attacks.
However, the corresponding ServeFile function included a check to prevent path traversal.
Moving on, the participant observed that the HandleUpload handler allowed users to execute system commands via the utils.ExecuteCode method, but it required bypassing a “digest” verification check.
To understand how the digest verification worked, the participant set up the challenge’s source code in a local Docker container and began debugging it using VS Code and Delve.
The participant found that the digest verification checked if the digest matched the content that was uploaded, rather than being a valid SHA-256 hash of the content.