Created: 2014-11-08 13:21:43
Last modified: 2014-11-09 23:28:12
This Daedalus Corp. website loads images in a rather odd way... [Source Code]
The file_loader.php
page might be able to serve more than just images.
Using file_loader.php
to view a file in another directory with relative paths.
The hint tells us to check out file_loader.php
. Going to the link http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=zone1.jpg we can see that file loader.php
takes in a file
id with the of name of the file requested, and then displays the file. What if we try requesting flag.txt
? Entering the url http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=flag.txt does not work, but the error tells us:
No such file: /resources/files/flag.txt
So now we known that file_loader.php
is looking for a file in /resources/files
. If we can figure out the path of the actual flag, we can use file_loader.php
to read it using relative paths. Going back to the problem, we notice they have provided us the source to the page. These lines seem paticualy interesting:
<?php
$config_file = fopen("/resources/config/admin_mode.config", "r");
if (fgets($config_file) === "true") {
$flag_file = fopen("/resources/secrets/flag", "r");
echo fgets($flag_file);
flose($flag_file);
}
fclose($config_file);
?>
The $flag_file
seems to be at /resources/secrets/flag
. Now all we have to do is get file_loader.php
to read from it. To do this we pass file=../secrets/flag
to the file_loader.php
where the ..
goes up a directory to the resources
folder and the /secrets/flag
navigates from the resources folder to the flag.
i_like_being_included