In order to successfully solve the web challenge, I followed the steps below:
Step 1: Run the Website Locally
I started by executing the website locally using the Docker Compose command:
docker-compose up
This command launched the web application, making it accessible at a local address.
Step 2: Analyze the Page Source Code
After accessing the local instance, I examined the source code of the page. I noticed the presence of a query parameter named source. This parameter could be used to display the content of the web page, which was revealed to be:
<?php
if (isset($_GET['source'])) {
@show_source(__FILE__);
} else if(isset($_GET['code'])) {
print("<pre>");
@system($_GET['code']);
print("<pre>");
} else {
?>
<html>
<head>
<title>Welcome to Babel Web!</title>
</head>
<body>
<h1>Welcome to Babel Web!</h1>
The page is under development, please come back later.
<!-- <a href="?source=1">source</a> -->
</body>
</html>
<?php
}
?>
Step 3: Exploiting the Vulnerability
I observed the use of @system($_GET['code']); in the code, indicating a potential command injection vulnerability. Seizing this opportunity, I tested various commands, starting with ls, then cat, and finally tac. Since cat wasn’t available, I used tac to display the contents of the flag.php file.
This way, I successfully exploited the vulnerability to retrieve the flag.
In summary, the challenge was resolved by running the website locally, analyzing the source code, and exploiting the command injection vulnerability to reveal the contents of the flag.php file.