zer0pts CTF
, zer0pts CTF 2020
, web
We're given the source code (index.php
) and Dockerfile
. As you can see from index.php
, you can get the flag if you can guess bin2hex(random_bytes(64))
or get config.php
.
Of course guessing random_bytes(64)
is not realistic, so the goal is to read config.php
. Also, bypassing hash_equals
is impossible because if one of parameters is not string, hash_equals
returns FALSE
, so if you post guess[]=test
, this app shows Wrong
.
The remaining suspicious part is highlight_file(basename($_SERVER['PHP_SELF']));
, which prints the source code itself. basename
is a function that returns filename of given path, and $_SERVER['PHP_SELF']
is a path of currently executing script.
But why this app checks if $_SERVER['PHP_SELF']
ends with config.php
? This is because if you access /index.php/config.php
, $_SERVER['PHP_SELF']
is /index.php/config.php
. So, if there is no check, the server shows the content of config.php
.
So, we need to bypass the check. Let's see the document of basename
again.
Caution
basename()
is locale aware, so for it to see the correct basename with multibyte character paths, the matching locale must be set using thesetlocale()
function.
What does it mean? Let's reproduce the environment with given Dockerfile
and
fuzz.
Wow, if /(character out of ASCII range)
is appended, basename
returns config.php
.
Finally, you can get the flag by accessing http://3.112.201.75:8003/index.php/config.php/%80?source
.