# PicoCTF 2014 Write-ups

## Potentially Hidden Password - 100 (Web Exploitation)

#### Writeup by Oksisane

Created: 2014-11-08 13:21:43

### Problem

This Daedalus Corp. website loads images in a rather odd way... [Source Code]

### Hint

The file_loader.php page might be able to serve more than just images.

### Overview

Using file_loader.php to view a file in another directory with relative paths.

### Details

The hint tells us to check out file_loader.php. Going to the link http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=zone1.jpg we can see that file loader.php takes in a file id with the of name of the file requested, and then displays the file. What if we try requesting flag.txt? Entering the url http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=flag.txt does not work, but the error tells us:

No such file: /resources/files/flag.txt


So now we known that file_loader.php is looking for a file in /resources/files. If we can figure out the path of the actual flag, we can use file_loader.php to read it using relative paths. Going back to the problem, we notice they have provided us the source to the page. These lines seem paticualy interesting:

<?php
$config_file = fopen("/resources/config/admin_mode.config", "r"); if (fgets($config_file) === "true") {
$flag_file = fopen("/resources/secrets/flag", "r"); echo fgets($flag_file);
flose($flag_file); } fclose($config_file);
?>


The \$flag_file seems to be at /resources/secrets/flag. Now all we have to do is get file_loader.php to read from it. To do this we pass file=../secrets/flag to the file_loader.php where the .. goes up a directory to the resources folder and the /secrets/flag navigates from the resources folder to the flag.

### Flag

i_like_being_included