Rating:

# Challenge

fun.ritsec.club:8007

Author: jok3r


Same page as TangledWeb

# Solve
After solving Tangled Web, we get a hint:




Going to http://fun.ritsec.club:8007/devsrule.php and get the following message:

Not what you input eh?
This param is 'magic' man.


The 2 keyswords here are **input** and **magic**.

Fiddling with the ?magic= parameter, I tried different LFI. The one that worked was php://input.

If you do a POST request to http://fun.ritsec.club:8007/devsrule.php?magic=php://input with PHP code as the POST payload, we have PHP Code Execution.

There is an interesting file called JokersSomeSortaHack. Inside, there is an RSA key. This hinted me to a user we can connect to with that RSA key. I got the /etc/passwd file.

The joker user looks interesting. After looking inside its directory, we find a flag.txt file which we can read:

Flag: RITSEC{WOW_THAT_WAS_A_PAIN_IN_THE_INPUT}

Original writeup (https://github.com/Prodicode/ctf-writeups/blob/master/RITSEC%20CTF%202018/web/LazyDev.md).