Tags: php local_file_inclusion 

Rating: 5.0

We're given the hint "robots will rule the world" - I immediately get the idea to head to /robots.txt on the site. We see a page called flag.php. Upon heading to it, it asks "How do you filter your coffee?"

This took me some time to think about, but I eventually saw that the CTF organizer had given a hint in Discord saying it's a local file inclusion vulnerability. I searched for things like "lfi filter php" and so on, and that's when I learned about something called php://filter.

I wasn't sure how to proceed from here, so I went back to the website. I realized that the site template was from PHPJabbers, so I downloaded the template to see if I would find anything interested. However, it was just a plain HTML template, and I didn't think it would be relevant.

Then, mostly out of boredom, I clicked around the site and ended up on http://ez.ctf.cafe:9999/blog-posts.php?file=blog1.html. I changed blog1.html to ../../../etc/passwd and it worked! This made me think back to filtering, and I decided to filter flag.php into base64 like this: http://ez.ctf.cafe:9999/blog-posts.php?file=php://filter/convert.base64-encode/resource=flag.php

We get the output of a base64 string containing this: PD9waHAKCWVjaG8gJ0hvdyBkbyB5b3UgZmlsdGVyIHlvdXIgY29mZmVlPyc7ICAgIAoJLy8gRVotQ1RGe0xGSV8xU18zWn0KPz4K

Now, I go to cyberchef.org and enter the string and we get an output containing the PHP file's contents, which includes a comment with our flag:

<?php
    echo 'How do you filter your coffee?';    
    // EZ-CTF{LFI_1S_3Z}
?>

This theoretically may have allowed remote code execution, as due to the PHP version being outdated, a workaround existed that would bypass the site preventing the loading of code from other websites. However, I wasn't interested in trying to exploit this, and I feel that it's unnecessary and certainly isn't the point of the challenge.

Original writeup (https://pipuninstallpip.github.io/writeups/ez-ctf-i-made-a-blog).