Display Case
A small team's self-hosted file vault. The main UI is tidy, but the worker process that ingests uploads seems to be a little too generous with what it shows the world.
The Scenario
Display Case is the file-sharing tool a four-person agency uses to swap rough cuts and project archives with their clients. They moved off Dropbox to "control the surface". The site lists exactly the files the team intended to publish; the folder underneath them does not. Start at the landing page, look around the uploads area, and see what a stray legacy panel will hand you if you ask.
Challenge Intel
Synopsis
Go's http.FileServer was mounted at /uploads/ with directory listing on by default — including a hidden _legacy_admin folder whose dashboard wires an unauthenticated debug endpoint.
What It Is
The /uploads/ route is served by Go's stdlib http.FileServer rooted at /var/uploads. Go enables autoindex by default, so any visitor browsing /uploads/ sees every file in the directory — including a _legacy_admin/ subfolder that the team forgot to delete. Inside, dashboard.html ships inline JavaScript that fetches /api/legacy/whoami. That endpoint never had an auth check; its JSON response body contains the flag.
Who It's For
Players who can browse a directory listing and read a small JS file to pick up the next-hop endpoint.
Skills You'll Practice
- Spotting autoindex / open directory listings
- Reading inline JavaScript for unlinked API endpoints
What You'll Gain
- An intuition for how 'static file servers' leak entire orphaned admin tools
- A reflex to walk every subdirectory of an exposed listing before exploiting
Ready to hack Display Case?
Upgrade to Pro to unlock this challenge and the full library.