The challenge today is to get the flag that is in
flag.php. Today you will learn:
- Local File Inclusions in PHP
- Rainbow tables
When files are included things can get real messy. The flag is in flag.php.
The key to Local File Inclusions, LFI, is that you trick a program to include a file that is not included under normal circumstances. This challenge revolves around this concept. The challenge starts with an somewhat empty page.
The challenge said that the flag is in
flag.php. Go to the url
/flag.php to see if it is available.
The hint on the page is that we as a user need to get promoted. There is no other clue as to what to do next. Browsing the DevTools (F12) will show that there is a cookie called
zeroten. The contents is an URL encoded Base64. Decoding it yields a Base64 encode JSON structure, note the
Decoding the value will show a JSON structure with the keys
role is encoded. As the hint said it was an include challenge the reasonable thing to do is to change
flag, assuming it will add the
.php to it.
Change the value in the JSON structure and then Base64 encode it again.
This does indeed include the
flag.php into the main page, however it still shows that the user needs to get promoted.
The rabbit hole in this challenge is that a seasoned tester might consider type juggling in the PHP language for the hash comparison. This is not the case in this challenge. The hash has to be replaced with something reasonable.
Looking up the value on hashes.com will reveal that this hash is actually the
sha1 of the word
user. The hash type can be identified by using the hash identifier. Looking up a hash in a list is called a rainbow table, a precomputed list of words and their hashes that you can search without needing to hash it yourself.
Using CyberChef the value of
admin can be passed through the
sha1 encoder. This will result in
d033e22ae348aeb5660fc2140aec35850c4da997 as a value. Add the value to the JSON structure.
Encoding this structure into Base64 and adding it in the DevTools (F12) will reveal the flag after reloading the webpage.
Go grab the points and make sure to also share your badge on social media!
Go back to the homepage.