search

Web - Journal

100 points | 518 solves

hashtag
Description

dear diary, there is no LFI in this app

hashtag
Downloads

file-archive
8KB
journal-dist.zip
archive
arrow-up-right-from-squareOpen

hashtag
Solution

The provided php file:

<?php

echo "<p>Welcome to my journal app!</p>";
echo "<p><a href=/?file=file1.txt>file1.txt</a></p>";
echo "<p><a href=/?file=file2.txt>file2.txt</a></p>";
echo "<p><a href=/?file=file3.txt>file3.txt</a></p>";
echo "<p><a href=/?file=file4.txt>file4.txt</a></p>";
echo "<p><a href=/?file=file5.txt>file5.txt</a></p>";
echo "<p>";

if (isset($_GET['file'])) {
  $file = $_GET['file'];
  $filepath = './files/' . $file;

  assert("strpos('$file', '..') === false") or die("Invalid file!");

  if (file_exists($filepath)) {
    include($filepath);
  } else {
    echo 'File not found!';
  }
}

echo "</p>";

It's a simple enough challenge that looks like your typical LFI but like the description says, this is not a LFI challenge.

As it turns out, the assert() function basically works like an eval() function and we all know the horrors of eval. This page on HackTricks explains it all.

HackTricks

It is also worth noting from the provided docker file that the flag file name is appended with random characters which hinted towards getting an RCE.

Docker file

Final solution:

Flag: ictf{assertion_failed_e3106922feb13b10}

Last updated