172.25.200.200:9032 Web

Want to run this Docker container locally?

docker run -d -p 9032:80 --name flag-red6 --restart always joshbeck2024/ctf-pam_deny-flag-red6

Open the webpage dev.php.txt using Firefox.

• This webpage is giving you the source code for the dev.php file.

Here’s a breakdown of the code:

• dev.php is expecting a GET parameter of file
  • We’ll address GET requests in an early Sec+ unit.
• The file parameter will be ‘included’ in the webpage.

If an end user can inject/control values within a .php the website owners are going to have a bad time.

Key Sec+ Term: (LFI: Local File Inclusion) Let’s see if we can view files on the local system via this webpage.

• Are you taking notes yet?

In the web browser, go to this URL:

• Below, you can see how the word ‘file’ can be used as a GET parameter.

http://ip_address:9032/dev.php?file=/etc/passwd

LFI successful! Let’s see if we can jump straight to the flag.