Writeup — MiniSTRyplace — Cyber Apocalypse 2021 — HackTheBox
Initial Stage
By inspecting the challenge/index.php file, we can see that the web server does a curious string substitution:
Let’s break this down.
If the GET request contains a parameter lang ( isset($_GET('lang']) ), then it will go on and substitute every ../ with an empty string in the argument of the parameter lang . Otherwise, it will choose a random element from the array $lang . The result of the ternary operator will be concatenated with pages/. and this ‘page’ will be shown. For example, if we request:
we will get nothing, since the ../ will be substituted with an empy string and the resulting page requested would be /pages/flag (which does not exist).
Right Climbing
In this situation, if we want to climb the file system, we can just, instead of using ../ , employ ....// . In fact, the middle ../ will be removed and it will be left ../ . So, since the flag is placed two folders back from the /pages , we can use the following URL to get to it:
And Boom! The flag will be displayed!
Cheers!
Kevin
