Wargames 2018 – PHP Sandbox

Hi readers, during a CTF we (Shah and myself) participated this year, we were given a web challenge called PHP Sandbox. The web application allows participants to insert any PHP code. While trying to create a web shell, we got an error which stated “the function was disabled”. We then viewed the PHP information by executing the below command:


Upon reading the phpinfo, we noticed that quite a number of functions was disabled as shown in the figure below:


Below is the list of disable functions:


While trying to figure out how could we read the flag, we then tried to read the directory as shown in the figure below:

Reading the directory

After some trial and errors, we finally found a solution on how we could read the flag without using any of the disable functions. Below command was used to read the flag:

new Finfo(0,’.supers3cr37file.php’);

Figure belows proves that we have successfully read the flag:


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.