Rating: 5.0

Writeup URL: [GitHub](https://infosecstreams.github.io/csaw21/poem-collection/)

# Poem Collection

Writeup by: [GoProSlowYo](https://github.com/GoProSlowYo) and solved by [Joe](https://github.com/ghost).

Team: [OnlyFeet](https://ctftime.org/team/144644)

Writeup URL: [GitHub](https://infosecstreams.github.io/csaw21/poem-collection/)


Hey! I made a cool website that shows off my favorite poems. See if you can find flag.txt somewhere!



## Poems :)

We find a page offering us some poetry.

![A Page of Poems](./poems.png)


## PHP Errors?

If we browse to the page it throws a PHP error already -- clearly a `Filename` was not provivded!

Warning: file_get_contents(): Filename cannot be empty in /var/www/html/poems/index.php on line 4

![What Filename?](./php-error.png)


## Choose a Poem

If we choose a poem the error goes away and a poem is displayed. We also notice a GET parameter named `poem` is populated in the url and is pointing to a file.


![Get Parameter](./get-parameter.png)


## Victory

We can change this to ask for the flag:


![LFI for Victory](./lfi.png)

Submit the flag and claim the points:


Original writeup (https://infosecstreams.github.io/csaw21/poem-collection/).