The challenge statement gives us the following site:

By manipulating the URL, I quickly realize that a LFI vulnerability is exploitable.

So I start to inject a payload with double encoding in order to get the content of the file /etc/passwd:

I have the content of the file in return but I don’t see any exploitable user or service:


So I decide to download the content of the index.php file with the PHP wrappers:

With this request, I get the content of the index.php file in base64 directly on the web page.

After decoding, I see the following PHP code corresponding to the LFI filters applied (bypassing the function via double encoding):

    function lfi_filter($value)
        $omit_words = array('..', '../', '/');
        $new_string = str_replace($omit_words, '', $value);
        return $new_string;
    if (isset($_GET["category"])) {
      $categorie = lfi_filter($_GET["category"]);
      include urldecode($categorie);
    }else {
      include 'home.php';

From this moment, I look for a little moment before continuing the challenge because the recovered PHP code gives us no additional information.

Since fuzzing is not allowed on this challenge, it’s time for #guessing!

Looking at the title of the challenge and in adequacy with the structure of the site, after several attempts I try to join the page private.php via and I have a return!

So I get the source code of this page with the same payload as before:

I get the following source code with an interesting ASCII comment:

      <td><img width="50%" class="center" src="categorie\Why-So-Sad-Funny-Clown-Face-Picture.jpg" alt="personal_attack.jpg"></td>
      <!--don't leak (\x70\x65\x72\x73\x6F\x6E\x61\x6C) -->

After conversion, I get the following value: personal

I suppose that the site has a personal category, so I go to the URL which contains an audio recording in wav format.

After downloading the audio recording, I open it with the Audacity software in order to analyze the content.

The audio generated by the recording leads me to believe that an information is present in the spectrogram !

After inversion of the audio track and analysis of the spectrum, I recover the following information:


Flag: MCTF{H1d3_Y0uR_S3cRe7s}