Tags: web php lfi 


We see from the PHP file, that the query param `lang` will include a file from the filesystem. Its main use is to provide us with language support by using either `en.php` or `qw.php` as language files, but we see other uses for it - namely _local file inclusion_.

The only problem, is that there is a `str_replace` method being called, which removes any string of the form `../` from the query. But we need `../` to get to the root directory, where the flag is.

Since `str_replace` will run through our string only once, all we need to do is supply a buffer to the string `../` by making it for example into `....//` or `.../...//`, or anything similar to that.

Original writeup (https://kblagoev.com/blog/ministrypalace-cyberapocalypse-2021-ctf/).