Tags: web 


# Challenge description

Try to find the flag from the website.

N:B: I'm a n00b developer.

Website Link

Note : Burte Force/Fuzzing not required and not allowed.

Flag Format: KCTF{S0m3_T3xt_H3re}

**Author: TareqAhmed**


From the url we can tell that this is an LFI

So trying out different urls like **flag.php** , **flag.txt** didn't work until i tried **index.php** and we get this ERROR message

So it seems like it's blocking us somehow or its "filtering" us out so using this payload we can bypass that

You can find more LFI payloads at this repo

> https://github.com/payloadbox/rfi-lfi-payload-list


so we just decode it !

include $_GET['file'];

echo "<h1>You are missing the file parameter</h1>";

#note :- secret location /home/tareq/s3crEt_fl49.txt



Now that we know where the flag is we can simply change our payload to :


and we get our base64 encoded flag :

> S0NURntMMEM0TF9GMUwzXzFuY0x1NzEwbn0K

and we just decode it and here's our flag

``` KCTF{L0C4L_F1L3_1ncLu710n} ```

Original writeup (https://github.com/j3seer/KnightCTF-2022-WriteUps/tree/main/KnightCTF%202022/Web/My%20PHP%20Site).