Tags: bypass lfi 

Rating:

## Challenge : Buggy

### Solution

The challenge is about bypassing 403 error along with file upload vulneribility and LFI.

When we entered the website there's a login form and a link to register.
After clicking on register we see a ```403 Forbidden``` error.

![error](/Buggy/imgs/403.jpg)

Looking at this, thought we can bypass it which is smuggling the request to get registered. After some googling i found a way to bypass it ```/./register.php?username=ph03n1x&password=ph03n1x```

Intercepting the request with burp and forwarding it, our registration is successful.

![burp](/Buggy/imgs/Request.jpg)

Logging in, we find a file uploader which accepts any file extension. Uploading the file, it removes the uploaded file extension and convert the file name to a hash.
I thought of getting a PHP Shell and uploaded a php file.

After uploading the php, there's an option to ```include``` the file. We get a page with following details
> The file has been uploaded to: /var/www/uploads/df0f1a1ac715de9266c8d8391769156a
>
> To include the file, use ?include=

Here we get ```LFI``` at ```/../../../var/www/uploads/df0f1a1ac715de9266c8d8391769156a```
This ```include``` option allows only the content of `http (or) https`.

The final payload for LFI will be `/index.php?include=http:/../../../var/www/uploads/df0f1a1ac715de9266c8d8391769156a`

After getting the shell, `cat` the files in directory.

The flag is in `config.php`.

### Flag: `inctf{REQU357_5MUGG71NG_4ND_1NCLUD3_F0R_TH3_W1N}`

Original writeup (https://github.com/Ph03-N1X/INCTFi-2020/tree/master/Buggy).