Great, I've been waiting for this. Now I can finally get past level 2 -- I didn't realize a non-existent file would work, even though I did figure you could overwrite variables due to the get. I considered overwriting filename with "index.php" and figuring out what attempt would have to be to pass -- but that was too much work for a simple challenge when I had enough other stuff to do ;-)
At least I identified the "correct" vulnerability.
I spent a great deal of time using index.php and README as filename parameters, and using the contents of those files as the password attempt. This attack worked in my local environment, but not on the live ctf. It took a while to realize that `file_get_contents('nonexistent') === ''`, raising no exceptions.
I actually uploaded a txt file to dropbox and then passed that in and the contents of the file as the two parameters. It worked for me, although that method seemed to stop working later on.
Relying on php to open an url? Or do you mean filename="/" ? What did your attempt end up being? (Apparently they've taken down the ctf-servers, so playtime is over).
Yes.
You can do $x = file_get_contents("http://news.ycombinator.com) and it will work (well, in that case it wouldn't as the machine had locked down network access, but you get the idea).
Yes, I am aware php allows one to open urls via the file*-procedures (unless it has been disabled on the server -- which is generally a good idea for production deployment). I meant -- what did you end up using for the challenge (url/$filename and $attempt)?
I guess it would've. I tried to think of stuff that lives under /etc mv -- didn't think of /dev/null. However the "empty filename fall trough" is better as it also works under a chroot without such files available.
I spent a while trying to do a path traversal exploit to set password.txt readable, trying various encodings along the way. I head-desked when I realized I could just upload a PHP script.
At least I identified the "correct" vulnerability.