Will anyone please give me i hint about getting initial access to this box Thanks
Finally got this one. Hint to others: To actually exploit I needed to look into some interesting behavior (not well documented) PHP has with executing functions when all you control is variable expansion.
Got it! Thanks for a cool challenge ! I am curious how other people exploited it, as I think thereās several ways to do it (using the same vuln).
If you need a hint, DM me with what you have tried and I will provide a nudge
A little nudge for those who are not familiar with PHP, there is something in common with other scripting languages (e.g Bash), related to string parsing.
STUCKED
i found the vulnerability , but i cant exploit it , i think there are some filtering. can anyone give a little hint.
The worst challenge ever and too boring cuz of php.
Iāve got the info, but really struggling to go any further. Can I message someone please?
I put a lot of logging code to the source code to see what is happening in the background. I suspect two vulnerable functions. However, when I try injection using multi-byte characters my log messages become empty strings and the server does not break.
If anyone can give me a nudge, I would be very thankful.
As someone with minimal PHP experience, this was quite the frustrating āeasyā challenge. I finally figured it out but it wasnāt a good looking solution by any means. I did learn a lot though!
Could anyone PM me a hint?
Spent a good 2 hours researching for techniques to bypass that one functionā¦
As it turned out, DuckDuckGo may be excellent to have some privacy, but the search results can be quite bad. With Google, I did 2 searches and the answer was in the Top 3.
Also fell into a deep rabbit hole because I didnāt fully understand how the first technique I researched works, and that it isnāt applicable here. Some 2-3 hours lost in php -a
ā¦
The vuln is obvious, how to package/structure/format/encode the payload is literally 10 minutes of Google. Really hard to give hints without spoiling everything.
Iām able to see the file name for the flag but stuck at opening the file, can anybody PM me a hint ?
can anyone DM me for a hint?
Type your comment> @octopus175 said:
can anyone DM me for a hint?
NVM just got flag, big thanks to @NoMad for the help!
Looking into the error log, I saw some undefined constant x - assumed āxā.
Is there anybody that ran some exploit that doesnāt show that message?
I guess that in future versions of PHP this might be corrected, and my exploit is no more available.
For some reason right answer i think because of typo didnt work ad i switched to other ideas, while first one was right. So always check things few times. sit happens
Major Spoiler. Please edit your post.
In my opinion, the error is correct. Your customized GET or POST paramters are not passed to the Model function.
In the access log, there are some variables that are passed through requests.
Canāt figure out where the flag isā¦ Iām starting feeling stupid xD any advice?
Edit: done, i need more sleep probably