This post spoils a CTF challenge … Don’t read if you want to try it !

ECW (European Cyber Week) is a Jeopardy student CTF challenge. It is organized by Thales, Airbus and the Bretagne region. I had a great time solving these challenges, despite a little abusive guessing in stegano challenges. Hurry to hand over this !

SysIA is a Web challenge with a Local File Inclusion. I will explain here how I solved it.

[+] Recon

We are facing a PHP website :

main page


There are a few pages, which doesn’t seem vulnerable. But, the robots.txt contains a interesting information :
robots page


Let’s request this non-indexed page :
lfi page


Hum, this looks like an LFI… After the classic test, we can confirm this diagnosis :
https://example.fr/notinterestingfile.php?page=../../../../etc/passwd

lfi confirm page

[+] Exploitation

After a little fuzzing, it appears that some files in the /root directory are readable… Well, the sysadmin AI still has to learn ¯\(ツ)/¯.
Let’s request the /root/.bash_history file which contain the bash commands history for user ‘root’.

https://example.fr/notinterestingfile.php?page=../../../../root/.bash_history

lfi confirm page

After a bit of formatting, we can find 3 interesting commands :
+ locate flag.txt
+ updatedb
+ locate flag.txt

It seems like the sysadmin tried to locate flag.txt file, it failed and he then updated the file database.
The file database should contain the flag.txt file location …
The default location for this file db is : /var/lib/mlocate/mlocate.db.

https://example.fr/notinterestingfile.php?page=../../../../var/lib/mlocate/mlocate.db

lfi confirm page

We have the flag !

https://example.fr/notinterestingfile.php?page=../../../../var/www/ECW/solution/web/lfi/flag.txt

lfi confirm page

Flag is : flezkljfezfezfezmljdfsmsdfsds4s4fez54f5e4z54.

[+] Bye

Thanks to Haax for the screenshots ! I totally forgot to take some during the CTF :(
Feel free to tell me what you think about this post :)