Created: 2014-11-08 13:21:43
Last modified: 2014-11-09 23:28:12
This Daedalus Corp. website loads images in a rather odd way... [Source Code]
The file_loader.php page might be able to serve more than just images.
Using file_loader.php to view a file in another directory with relative paths.
The hint tells us to check out file_loader.php. Going to the link http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=zone1.jpg we can see that file loader.php takes in a file id with the of name of the file requested, and then displays the file. What if we try requesting flag.txt? Entering the url http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=flag.txt does not work, but the error tells us:
No such file: /resources/files/flag.txt
So now we known that file_loader.php is looking for a file in /resources/files. If we can figure out the path of the actual flag, we can use file_loader.php to read it using relative paths. Going back to the problem, we notice they have provided us the source to the page. These lines seem paticualy interesting:
<?php
$config_file = fopen("/resources/config/admin_mode.config", "r");
if (fgets($config_file) === "true") {
$flag_file = fopen("/resources/secrets/flag", "r");
echo fgets($flag_file);
flose($flag_file);
}
fclose($config_file);
?>
The $flag_file seems to be at /resources/secrets/flag. Now all we have to do is get file_loader.php to read from it. To do this we pass file=../secrets/flag to the file_loader.php where the .. goes up a directory to the resources folder and the /secrets/flag navigates from the resources folder to the flag.
i_like_being_included