Tags: web 


You can also read this and other writeup at my [Github](https://github.com/quochuyy10217/MyCTFWriteups/tree/main/Digital%20Overdose%202021%20Autumn%20CTF)

When you open an instance of this chall, you will see a page like this


Now look carefully at the url of this chall, you will see that the url is like /index.php?page=index.html. This is an evidance show that this page may be suffer from LFI. If you don't know what LFI is, please read [this](https://book.hacktricks.xyz/pentesting-web/file-inclusion). You should learn about PHP wrapper as well because we will use it to solve this chall.

To check if the page is suffer from LFI or not, I will use the PHP wrapper to check: I change the url to /index.php?page=php://filter/convert.base64-encode/resource=index.html. And the result is


When I use the PHP wrapper, the content of the page is convert to base64. This method will be useful when you want to read the PHP code of the page.After that I use base64 decoder to see what is the source code of the page


As you can see in the image above, the source code has a comment that remind the developer himself to delete /bin/secrets.txt. So we will go to that page to check if it is deleted or not.