Advent of CTF - Challenge 10
“Include”
Challenge
The challenge today is to get the flag that is in flag.php
. Today you will learn:
- Local File Inclusions in PHP
- Rainbow tables
Solution
When files are included things can get real messy. The flag is in flag.php.
The key to Local File Inclusions, LFI, is that you trick a program to include a file that is not included under normal circumstances. This challenge revolves around this concept. The challenge starts with an somewhat empty page.

The challenge said that the flag is in flag.php
. Go to the url /flag.php
to see if it is available.

The hint on the page is that we as a user need to get promoted. There is no other clue as to what to do next. Browsing the DevTools (F12) will show that there is a cookie called zeroten
. The contents is an URL encoded Base64. Decoding it yields a Base64 encode JSON structure, note the eyJ
.
eyJwYWdlIjoibWFpbiIsInJvbGUiOiIxMmRlYTk2ZmVjMjA1OTM1NjZhYjc1NjkyYzk5NDk1OTY4Mz NhZGM5In0=
Decoding the value will show a JSON structure with the keys page
and role
. The role
is encoded. As the hint said it was an include challenge the reasonable thing to do is to change page
from main
to flag
, assuming it will add the .php
to it.
{"page":"main","role":"12dea96fec20593566ab75692c9949596833adc9"}
Change the value in the JSON structure and then Base64 encode it again.
{"page":"flag","role":"12dea96fec20593566ab75692c9949596833adc9"}
This does indeed include the flag.php
into the main page, however it still shows that the user needs to get promoted.

The rabbit hole in this challenge is that a seasoned tester might consider type juggling in the PHP language for the hash comparison. This is not the case in this challenge. The hash has to be replaced with something reasonable.
Looking up the value on hashes.com will reveal that this hash is actually the sha1
of the word user
. The hash type can be identified by using the hash identifier. Looking up a hash in a list is called a rainbow table, a precomputed list of words and their hashes that you can search without needing to hash it yourself.

Using CyberChef the value of admin
can be passed through the sha1
encoder. This will result in d033e22ae348aeb5660fc2140aec35850c4da997
as a value. Add the value to the JSON structure.
{"page":"flag","role":"d033e22ae348aeb5660fc2140aec35850c4da997"}
Encoding this structure into Base64 and adding it in the DevTools (F12) will reveal the flag after reloading the webpage.

Go grab the points and make sure to also share your badge on social media!

Go back to the homepage.