To give a quick Backstory this challenge was one of the csaw qualifiers. I didn’t have time to solve many other challenges however i took notes for this one and it was kind of fun which is why i decided to still publish it. There won’t be any other writeups for this ctf event. I made the post longer as needed to showcase my methodology so if you are a beginner this might help you out.
Now after clicking on poems we get redirected to /poems. As we can see there is a error message and 3 options for poems that we can read. The error message shows the “file_get_contents()” function which basically screams local file inclusion.
I still decided to lookup the function and found out that you can use it to open local files and also access files over the http protocol. Essentially allowing us to trigger an server side request forgery.
However when attempting an ssrf we can reach the flag but still not read it. Noteable but not interesting for the challenge right now.
Now lets focus on the LFI. After clicking on one of the poems we see that its being called in the url by /?poem=. I will now switch to Burpsuite since it has more utilities that can come in handy when bypassing filters.
To proof an LFI I usually try to access some kind of system file that always exists.
And we can read /etc/passwd now we only need to find the flag. Since simply putting in flag.txt doesn’t work lets take another look at the error message.
According to the error message the file can not be found in /var/www/html/poems/index.php
the flag might be in the directory above our current one. We can try to move up by one using ../
And we get the flag.
