[TJCTF 2020] – File Viewer

Given Challenges looking like this, entering one of that files opens it

Looking closer to the URL we can see that it’s most likely some type of file inclusion challenge

Trying standard LFI stuff seems to be a success

As you can see, we can access ‘/etc/passwd’, soo… what can we do? First thing comes to mind is php wrapper (php://) it let us use some php syntax from the URL

Source From: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php

With this we can convert the page we wanted to base64 and see what’s inside

This is what it’s look like, some base64 string and if we decode that we will get all index.html, but nothing seems interesting inside. Next thing comes to mind, RCE. How can we get RCE from LFI, still we can use wrapper, using data:// we can print to the html layout. Think of it like XSS, XSS occurs because of something inserted to the html layout commonly echoed by php to html, something like that, but we can do more stuff, we could use that to insert some php script just like opening php tag in html

Using : data://text/plain;base64,PD9waHAgZWNobyAiUGV0aXIgQ3liZXIgU2VjdXJpdHkiOyA/Pg==

base64 decoded : <?php echo “Petir Cyber Security”; ?>

We can just use php inside… soo… system it is.

Using : data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2B&cmd=ls

base64 decoded : <?php system($_GET[‘cmd’]); ?>

We can just do stuff inside just like we are in the server… There is probably something interesting in ‘i_wonder_whats_in_here’, so let’s check it

kind of not important notes: in the time of making this writeup something happend with some of the file, probably best not to show some of them like the ‘flag’ file which has been altered, I think it’s supposed to be tjctf{you_are_the_dumbest_person} or something…

flag.php file, okay… let’s open it

Flag : tjctf{l0CaL_f1L3_InCLUsi0N_is_bad}

Leave a Reply

Your email address will not be published. Required fields are marked *