Tags: php local_file_inclusion
Rating: 5.0
We're given the hint "robots will rule the world" - I immediately get the idea to head to `/robots.txt` on the site. We see a page called `flag.php`. Upon heading to it, it asks "How do you filter your coffee?"
This took me some time to think about, but I eventually saw that the CTF organizer had given a hint in Discord saying it's a local file inclusion vulnerability. I searched for things like "lfi filter php" and so on, and that's when I learned about something called `php://filter`.
I wasn't sure how to proceed from here, so I went back to the website. I realized that the site template was from PHPJabbers, so I downloaded the template to see if I would find anything interested. However, it was just a plain HTML template, and I didn't think it would be relevant.
Then, mostly out of boredom, I clicked around the site and ended up on `http://ez.ctf.cafe:9999/blog-posts.php?file=blog1.html`. I changed blog1.html to `../../../etc/passwd` and it worked! This made me think back to filtering, and I decided to filter `flag.php` into base64 like this: `http://ez.ctf.cafe:9999/blog-posts.php?file=php://filter/convert.base64-encode/resource=flag.php`
We get the output of a base64 string containing this: `PD9waHAKCWVjaG8gJ0hvdyBkbyB5b3UgZmlsdGVyIHlvdXIgY29mZmVlPyc7ICAgIAoJLy8gRVotQ1RGe0xGSV8xU18zWn0KPz4K`
Now, I go to cyberchef.org and enter the string and we get an output containing the PHP file's contents, which includes a comment with our flag:
```
```
This theoretically may have allowed remote code execution, as due to the PHP version being outdated, a workaround existed that would bypass the site preventing the loading of code from other websites. However, I wasn't interested in trying to exploit this, and I feel that it's unnecessary and certainly isn't the point of the challenge.