Rating:

# CSAW CTF 2016 mfw Writeup

mfw was a web challenge that included one flag for 125 points.

When launching the mfw web site at web.chal.csaw.io:8000 was introduced by the phrases

```
Welcome to my website!
I wrote it myself from scratch!
```

and this is how it basically looked like: A navigation pane with three links to `Home`, `About` and `Contact`. While Home and Contact did not show something interesting, the About page revealed some nice information as he wrote:

```
I wrote this website all by myself in under a week!
I used Git, PHP and Bootstrap
```

Next to this it was easy to see that the developer created a common templating system based on the GET parameter `page` as all URL looked like the following:

```
http://web.chal.csaw.io:8000/?page={home,about,contact}
```

Further investigation of the source code revealed that formerly there seemed to be a fourth link within the navigation pane:

```


```

For sure, the most obvious and therefore first try was to use a local file inclusion to get the output of /etc/passwd or the flag.php file but the following answer was returned:

```
http://web.chal.csaw.io:8000/?page=../../../../../etc/passwd

Detected hacking attempt!
```

Some more tests with different payloads and encodings lead to the fact that the code somehow detects two points, so a simple directory traversal was not possible. After some tries I found out the the flag.php file was lying within a folder called `templates`, but the inclusion of the file did not show any further information so my guess was that the flag is saved within a PHP variable of the file.

Following the hint from the `About` page I tried to see whether the developer forgot to exclude the `.git` directory from the web server and voila: a directory listing showing the default content of a .git folder was found:

```
branches description hooks info objects refs
config HEAD index logs packed-refs
```

Now I cloned the git repository and used `git diff` which revealed the source code of the index.php file as follows:

```

```

Original writeup (https://github.com/ernw/ctf-writeups/tree/master/csaw2016/mfw).