IP Address: 172.25.200.200

Port: 9051

Want to run this Docker container locally?

docker run -d --restart always --name flag-red70 -p 9051:80 joshbeck2024/ctf-php-filter-chain-lesson-flag-red70:latest

Encountering a Local File Inclusion (LFI) vulnerability often comes with a catch: you can point the server to a file, but the application doesn't actually display the contents of that file back to you. This is known as Blind LFI.

Click on the ‘View Source Code’ button.

We can test this. We know the flag is in /flag/flag.txt

• Try this

http://IP_OF_TARGET:9051?page=/flag/flag.txt

The Bad News:

• While it is possible to manually construct a ‘PHP filter chain,’ the process is highly computationally intensive and complex. A single chain can involve hundreds of character conversions. In this lesson, we will look at a simple manual example to understand the logic, but we will primarily rely on modern automation tools.
• Understanding how it works and then relying on automated tools for initial testing is the way to go if you choose this route.

The Good News:

• In this lesson, we’ll look at an example where a file like /flag/flag.txt might be read letter by letter using an error-based technique.
• Then we’ll jump to the tools that do the job for you.
• Realistically, if you identify an LFI condition, you can use the automated tools early in the pen test process.

The error-based technique: Can we crash the server?