This page looks best with JavaScript enabled

247ctf [Web]: ForgottenFilePointer

 ·  ☕ 1 min read

Introduction

Can you identify a way to bypass our login logic? MD5 is supposed to be a one-way function right?

Source code:

1
2
3
4
5
6
7
8
<?php
  $fp = fopen("/tmp/flag.txt", "r");
  if($_SERVER['REQUEST_METHOD'] === 'GET' && isset($_GET['include']) && strlen($_GET['include']) <= 10) {
    include($_GET['include']);
  }
  fclose($fp);
  echo highlight_file(__FILE__, true);
?>

The web allows us to read files which absolute path length is less or equal than 10.
We also know that there is an opened file descriptor that includes the flag.

What is a file descriptor?

File descriptors are an abstract indicator used to access a file (or other I/O resource). Generally they are represented as a number and they point to the actual file.
In linux they can be stored in two different places:

  • /dev/fd/
  • /proc/PROC_ID/fd/

Exploitation

We can read local files as I explained, we could try reading the open file descriptor, but keep the length in mind:

1
2
print(len("/dev/fd/"))            # 8
print(len("/proc/PROC_ID/fd/"))   # 17

We can’t exceed 10 characters, so /dev/fd/ may be the way to go. Bruteforcing from /dev/fd/1to /dev/fd/99 we get the flag.

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover