PicoCTF 2014 Write-ups

Potentially Hidden Password - 100 (Web Exploitation)

Writeup by Oksisane

Created: 2014-11-08 13:21:43

Last modified: 2014-11-09 23:28:12


This Daedalus Corp. website loads images in a rather odd way... [Source Code]


The file_loader.php page might be able to serve more than just images.



Using file_loader.php to view a file in another directory with relative paths.


The hint tells us to check out file_loader.php. Going to the link http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=zone1.jpg we can see that file loader.php takes in a file id with the of name of the file requested, and then displays the file. What if we try requesting flag.txt? Entering the url http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=flag.txt does not work, but the error tells us:

No such file: /resources/files/flag.txt

So now we known that file_loader.php is looking for a file in /resources/files. If we can figure out the path of the actual flag, we can use file_loader.php to read it using relative paths. Going back to the problem, we notice they have provided us the source to the page. These lines seem paticualy interesting:

         $config_file = fopen("/resources/config/admin_mode.config", "r");
         if (fgets($config_file) === "true") {
            $flag_file = fopen("/resources/secrets/flag", "r");
            echo fgets($flag_file);

The $flag_file seems to be at /resources/secrets/flag. Now all we have to do is get file_loader.php to read from it. To do this we pass file=../secrets/flag to the file_loader.php where the .. goes up a directory to the resources folder and the /secrets/flag navigates from the resources folder to the flag.