Forgotten File Pointer | 247 CTF | CTF For beginners

Rahul Singh Chauhan

3 Sept 202102:47

Summary

TLDRIn this video, Rahul explains a CTF (Capture The Flag) challenge involving file pointers in PHP. He walks through a method of reading a flag from a file using the f open method and the get function, but with a critical limitation: the file path parameter must be less than 10 characters. Rahul then delves into a workaround by accessing process IDs and utilizing a bug found in PHP to read the file through the /dev/fd directory. He demonstrates how this alternative approach ultimately leads to successfully retrieving the flag, offering viewers a valuable solution for overcoming file pointer restrictions.

Takeaways

😀 Rahul introduces the topic of the video, discussing the 'wife leaving file' and its potential dangers in a CTF challenge.
😀 The video emphasizes the importance of understanding the theory behind the challenge before attempting the solution.
😀 The file in question is opened using the `f open` method, with the pointer set to `fb` and the file being read in 'read' mode.
😀 A specific condition is introduced where the `get` method expects a parameter called `include` to read the file.
😀 The `include` parameter must be passed with a value that is less than 10 characters, a crucial restriction for the challenge.
😀 Rahul explains that simply passing the value to the parameter won't work because the file name length exceeds 10 characters.
😀 The solution involves accessing file pointers through the `/proc` directory and finding the process ID for PHP in this challenge.
😀 Without access to the PHP process ID, Rahul suggests a workaround using the `/dev/fd` directory to access the file pointers directly.
😀 By navigating to `/dev/fd`, users can gain access to the same file pointer as if they had the process ID, making it easier to find the flag.
😀 The video concludes with Rahul mentioning that after experimenting with file pointer manipulation, he successfully retrieves the flag.
😀 This approach offers an alternative method to access file pointers and retrieve information, bypassing the need for direct access to the process ID.

Q & A

What is the main topic of the video?
-The video discusses a challenge in a Capture the Flag (CTF) competition related to accessing a file pointer and finding the flag, focusing on the use of file handling methods and vulnerabilities in PHP.
Why is it important to watch the theory video before this one?
-The theory video provides background knowledge essential for solving the CTF challenge discussed in this video. It sets the stage for understanding the context and methodology before diving into the practical solution.
What file handling method is highlighted in the script, and what does it do?
-The file handling method discussed is `fopen()`, which opens a file (in this case, `temp flag.txt`) in read mode. The file pointer is stored in the variable `fb`.
What issue arises with the `include` parameter in this CTF challenge?
-The challenge specifies that the `include` parameter must be less than 10 characters in length. However, the value passed to this parameter exceeds this limit, preventing a direct solution.
How is the issue with the `include` parameter addressed?
-The issue is tackled by using a vulnerability in PHP. Instead of passing the parameter directly, the script suggests using a technique to access the file pointer by exploiting the `/proc` directory or the `/dev/fd` directory.
What role does the `/proc` directory play in the solution?
-The `/proc` directory contains information about running processes. In this case, it is used to access the PHP process’s file pointer. However, the process ID of PHP is needed to locate the specific file pointer, which could be a challenge if not accessible.
What workaround is provided for accessing the file pointer without the process ID?
-The workaround involves accessing the `/dev/fd` directory. This directory allows users to access file descriptors, including the one associated with the PHP process, which can be used to read the flag without needing the process ID.
Why would the user need to modify the values in the `/dev/fd` directory?
-Modifying the values in the `/dev/fd` directory allows the user to change the file pointer and eventually access the contents of the `temp flag.txt` file, which contains the flag.
What does the `get()` method expect, and how does it relate to the file pointer?
-The `get()` method expects a parameter named `include`. This parameter is used in conjunction with the file pointer to fetch the flag. However, due to the character length restriction, a workaround is required to bypass the limitation.
What is the final outcome of the process described in the video?
-After exploiting the vulnerability in PHP and accessing the `/dev/fd` directory, the user is able to eventually retrieve the flag by manipulating the file pointer and resolving the length issue with the `include` parameter.