# babyfirst (web 100)
baby, do it first.
## The bugs
When you browse to the website, you see the PHP code that is running on index page.
The program creates a sandbox directory using the `$_SERVER['REMOTE_ADDR']` (aka your IP address) if it doesn't exist already, and changes the directory into it. Then, it parses the GET parameter called `args`. The program iterates through `$args` array and verifies that they only contain letters, numbers and underscores.
However, it is possible to match with a string that ends with a new line (%0A). This allows us to inject custom shell commands when it does exec with our `$args`.
First, we run a shell command to download a shell script that we can execute later.
Then, we run the downloaded script.
The shell script redirects output to a file which we can download by going to `/sandbox/<YOUR_IP>`. To get the flag, the script runs `/read_flag`.