Tags: php local_file_inclusion
Rating: 5.0
We're given the hint "robots will rule the world" - I immediately get the idea to head to /robots.txt
on the site. We see a page called flag.php
. Upon heading to it, it asks "How do you filter your coffee?"
This took me some time to think about, but I eventually saw that the CTF organizer had given a hint in Discord saying it's a local file inclusion vulnerability. I searched for things like "lfi filter php" and so on, and that's when I learned about something called php://filter
.
I wasn't sure how to proceed from here, so I went back to the website. I realized that the site template was from PHPJabbers, so I downloaded the template to see if I would find anything interested. However, it was just a plain HTML template, and I didn't think it would be relevant.
Then, mostly out of boredom, I clicked around the site and ended up on http://ez.ctf.cafe:9999/blog-posts.php?file=blog1.html
. I changed blog1.html to ../../../etc/passwd
and it worked! This made me think back to filtering, and I decided to filter flag.php
into base64 like this: http://ez.ctf.cafe:9999/blog-posts.php?file=php://filter/convert.base64-encode/resource=flag.php
We get the output of a base64 string containing this: PD9waHAKCWVjaG8gJ0hvdyBkbyB5b3UgZmlsdGVyIHlvdXIgY29mZmVlPyc7ICAgIAoJLy8gRVotQ1RGe0xGSV8xU18zWn0KPz4K
Now, I go to cyberchef.org and enter the string and we get an output containing the PHP file's contents, which includes a comment with our flag:
<?php
echo 'How do you filter your coffee?';
// EZ-CTF{LFI_1S_3Z}
?>
This theoretically may have allowed remote code execution, as due to the PHP version being outdated, a workaround existed that would bypass the site preventing the loading of code from other websites. However, I wasn't interested in trying to exploit this, and I feel that it's unnecessary and certainly isn't the point of the challenge.