Skip to main content

elefay

Solved by: ndrasukagacoan

Flag file in /flag.txt

10.4.79.68:20005

author: anarchistx

Accessing the URL shows:

elefay-home

<?php

if (isset($_GET['file']) && $_GET['file'] !== '') {
  $file = preg_replace('/flag\.txt/i', '', preg_replace('/\.\.\//', '', $_GET['file']));
  if (file_exists($file)) {
    highlight_file($file);
  } else {
    http_response_code(404);
    echo "File not found.";
  }
} else {
  highlight_file(__FILE__);
}

The code reveals that:

  • Any flag.txt string is removed
  • Any ../ is removed

So, the trick? We use /flflag.txtag.txt. So flag.txt will be removed, giving us the original flag.txt string.

flflag.txtag.txt -> flag.txt

elefay-final

FLAG: compit{k4mu_j4g0_b4ng3t_s1h_b4n9_m44f_ya_pr0bs3t_s3d4ng_m4l4s}