Writeup — MiniSTRyplace — Cyber Apocalypse 2021 — HackTheBox
Initial Stage
By inspecting the challenge/index.php
file, we can see that the web server does a curious string substitution:
Let’s break this down.
If the GET request contains a parameter lang
( isset($_GET('lang'])
), then it will go on and substitute every ../
with an empty string in the argument of the parameter lang
. Otherwise, it will choose a random element from the array $lang
. The result of the ternary operator will be concatenated with pages/
. and this ‘page’ will be shown. For example, if we request:
we will get nothing, since the ../
will be substituted with an empy string and the resulting page requested would be /pages/flag
(which does not exist).
Right Climbing
In this situation, if we want to climb the file system, we can just, instead of using ../
, employ ....//
. In fact, the middle ../
will be removed and it will be left ../
. So, since the flag is placed two folders back from the /pages
, we can use the following URL to get to it:
And Boom! The flag will be displayed!
Cheers!
Kevin