Rating: 5.0

Writeup URL: [GitHub](https://infosecstreams.github.io/csaw21/poem-collection/)

# Poem Collection

Writeup by: [GoProSlowYo](https://github.com/GoProSlowYo) and solved by [Joe](https://github.com/ghost).

Team: [OnlyFeet](https://ctftime.org/team/144644)

Writeup URL: [GitHub](https://infosecstreams.github.io/csaw21/poem-collection/)

----

text
Hey! I made a cool website that shows off my favorite poems. See if you can find flag.txt somewhere!

----

## Poems :)

We find a page offering us some poetry.

![A Page of Poems](./poems.png)

----

## PHP Errors?

If we browse to the page it throws a PHP error already -- clearly a Filename was not provivded!

php
Warning: file_get_contents(): Filename cannot be empty in /var/www/html/poems/index.php on line 4


![What Filename?](./php-error.png)

----

## Choose a Poem

If we choose a poem the error goes away and a poem is displayed. We also notice a GET parameter named poem is populated in the url and is pointing to a file.

?poem=poem2.txt

![Get Parameter](./get-parameter.png)

----

## Victory

We can change this to ask for the flag:

?poem=../flag.txt`

![LFI for Victory](./lfi.png)

Submit the flag and claim the points:

**flag{l0c4l_f1l3_1nclusi0n_f0r_7h3_w1n}**

Original writeup (https://infosecstreams.github.io/csaw21/poem-collection/).