Root-me.org

Path Truncation

PHP Limits

We’re exploitating a php problem found a while go. The documentation on the website is really useful for this challenge.

The link is here [[http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20PHP%20path%20truncation.html]]

To make things simple we need to append “/.” to the url until php truncate everything and we’ll give us access to the page.

In the documentation there’s a bash script that will allow us to keep querying the website. We found a a link that we can exploit by click on the home link in the challenge page [[http://challenge01.root-me.org/web-serveur/ch35/index.php?page=home]]

We’ll remove the word home and replace it by anything. In my case i replaced it by the word “something”. We then used the script to query the url and appending “/.” after each interation. Also we need that the page that we’re looking for is called admin.html because of the link in the home page. When we click on the link we get a 403 and we get to see what’s the link(page) that we need to fetch.

So the link will go from the home url then going back a folder to get the admin.html file.

This is the script:

#!/bin/bash
url="http://challenge01.root-me.org/web-serveur/ch35/index.php?page=something/../admin.html"
n_iterations=3000
for ((repetitions=1; repetitions<=n_iterations; repetitions+=1)); do
 if [ -z "`curl -kis $url | grep "flag"`" ]; then
  echo -en "[$repetitions]";
 else
  echo -en ".""" ;
  echo "$url"
 fi
 url+="/."; 
done

The script will kept trying until he finds the word flag in the page. We’ll encounter the page after 2022 “/.”

The password will be there.