This is a write up to the 2014 CactusCon web application (SpookiLeaks) challenge. You can grab the SpookiLeaks-VM here and try the challenge yourself before reading the solution.