search

Merdeka

Ayuh nyanyikan lagu patriotik bersama sempena hari kemerdekaan Malaysia.

The website shows us three pages with different national songs and lyrics

<a href="javascript:void(0)" onclick="setPage('tanggal31.html')">Tanggal 31</a>
<a href="javascript:void(0)" onclick="setPage('keranamu.html')">Keranamu Malaysia</a>
<a href="javascript:void(0)" onclick="setPage('jalurgemilang.html')">Jalur Gemilang</a>

Interesting stuff here, the setPage function takes in the page name and encodes it in base64 and sets the value in the cookie

The page cookie directly translates to either of the 3 pages in base 64. For example:

  • tanggal31.html | page = dGFuZ2dhbDMxLmh0bWw=

  • keranamu.html | page = a2VyYW5hbXUuaHRtbA==

  • jalurgemilang.html | page = amFsdXJnZW1pbGFuZy5odG1s

Now that we know that this seems like an LFI vulnerability. Let's check out the source code which is index.php by using a PHP wrapper

php://filter/read=convert.base64-encode/resource=/var/www/html/index.php

By the time of writing this the infra of the ctf already shut down so can't provide the ss. But the index.php doesn't show us any flag. I got stuck here lol, even tried to read /etc/passwd.

Eventually, i left the challenge half-way

Apparently, the solution was to check common files like config.php which contained databse connections and root folders.

php://filter/read=convert.base64-encode/resource=/var/www/html/config.php

Encode it into base64 and plug it in the page cookie and we will receive the config.php encoded in base64

When decoded:

Flag: 3108{m4r1_k1t4_w4rg4_n3g4r4}

PreviousTinggi LagiiNextIlmu Hisab

Last updated