## Lazy dev - Web challenge (400 points)

The final web challenge with a link: http://fun.ritsec.club:8007. Hmm it takes
us back to *The tangled web* challenge.  
At first, I was thinking that it was a mistake, but after reviewing all pages
I crawled, I saw a comment which lead us further.  
Comment was found in http://fun.ritsec.club:8007/Stars.html and it goes like
this:

```

  
```  
So I went to http://fun.ritsec.club:8007/devsrule.php and I am welcomed with:  
```  
Not what you input eh?  
This param is 'magic' man.  
```  
Well, it is said that the parameter is *magic*.

I started poking around and after a while I finally figured out that it is LFI
to RCE !  
We have to use **php://input** wrapper !

I intercepted the GET request with Burp Suite and changed to *_POST
/devsrule.php?magic=php://input HTTP/1.1_* .  
Next thing was to add POST data so I ran `````` and I got this response:  
**Not what you input eh?  
This param is 'magic' man.  
  
uid=33(www-data) gid=33(www-data) groups=33(www-data)**  
Next step was to find the flag. With simple poking around we found our flag in
*_/home/joker/flag.txt_*

To read flag we execute `````` and we got flag in response!

Flag is: **RITSEC{WOW_THAT_WAS_A_PAIN_IN_THE_INPUT}**

Original writeup
(https://github.com/m-veljkovic/Writeups/blob/master/RITSEC/Lazy%20dev.md).