Advent of CTF - Challenge 11
“Filter”
Challenge
Building on the previous challenge this adds a layer of complexity due to filtering and the use of multiple elements to achieve an exfiltration.
In this challenge you will learn:
- How to detect filtering
- How to use
php://filter
Solution
Santa’s book of secrets has upgraded its security. All should be fine now.
The challenge starts with the same page as in Challenge 10. As the description says that the security has been upgraded, it is fair to assume it is the same type of challenge, only with some added security features.

Direct access to flag.php
leads to the text Direct access not permitted. This means that this time it is not possible to get the flag from this page directly.

As with the previous challenge, there is a cookie for zerooneone.
eyJwYXRoIjoiLiIsInBhZ2UiOiJtYWluIn0=
As with almost all previous challenges a Base64 encoded string, a JSON structure, is stored in the cookie. Decoding it reveals 2 keys; path
and page
. The current values are .
, for the current directory and main
for the main.php
page.
{"path":".", "page":"main" }
The first thing to try is to change the page
value to flag
. This should include the flag.php
file that is there according to the description.
{"path":".", "page":"flag" }
This, however, results in an error message. The message at the end of the line is no direct access, so apparently the file is there, but direct access to it is not allowed.

Playing around with this payload might make you try to change the path. When you use more then 1 .
the path will also throw an error.
{"path":"../../../../../../", "page":"/etc/passwd" }
The error message is displayed just like the previous one. So, the flag can not be retrieved directly and navigating the file system also seems to not work.

Investigating ways to do a file inclusion in PHP will eventually bring you to extracting data using php://filter
. This is part of PHP Wrappers. It basically allows you to filter resources through a conversion tool, such as convert.base64-encode
. This seems like a great opportunity.
{"path":".", "page":"php://filter/convert.base64-encode/resource=flag" }
It ends in an error message however. The error message says it is due to blacklist.

So, some words that are used are part of a blacklist. This means that part of the thing that was in the payload was not allowed to be there. Playing with this you will find that the word filter is not allowed in the page
value. Similar in the path
the word base is not allowed.
Thinking this challenge over the usage of the 2 parts of the JSON structure can be assumed to be something as in the below listing.
include($data["path"] . "/" . $data["page"] . ".php");
Using this knowledge and the insight as to what is allowed in both parts the PHP wrapper can be created as a 2 part string. The first part, with filter, in the path
and the second part, with the convert.base64-encode, in the page
.
{"path":"php://filter", "page":"convert.base64-encode/resource=flag" }
The payload will result in a big blob of Base64 text to be presented on the page.

Decoding the blob of text will show the contents of flag.php
. The flag can be retrieved from the code.

Be sure to grab your points and the badge.

Go back to the homepage.