Rating:
# Archivr 300
My team solved all the other web challenges. This was the only one left.
We did not solve this challenge during the CTF because I'm stupid and forgot how regex work :))))))).
Anyways I think it will make for a good writeup anyways. Enjoy.

## Recon

We can upload any file we want. Lets try upload shell.php

The extension gets removed and replaced with .dat.

We can dowload the file here if we enter `1542616333.dat`
Okay let's try some more extensions and figure out which ones are useful.

Left side is upload filename, right side is filename returned by server.
Moving on. Not much else to do here as the file is just returned to us and not displayed.
## Dirb
Running dirb we get some new paths.

Cool, we have found the upload directory. Let's see if we can browse our file.
```
/uploads/1542616333.dat (404)
```
Okay maybe that's not the correct folder.
## Exploiting LFI Wrappers
Using this payload we can view the source code of the upload.php file as the input is not sanitized correctly.
`http://fun.ritsec.club:8004/index.php?page=php://filter/convert.base64-encode/resource=upload`

Decoding the base64 we get:

This is the code for the download page:

So the upload folder is
```
uploads/md5(REMOTE_ADDR)/md5(time()).ext
```
## The hunt for the REMOTE_ADDR IP
In PHP `$_SERVER['REMOTE_ADDR']` returns the IP address in the format X.X.X.X of the user visiting the website.
What's different with this challenge is that the server is running inside docker (most likely) and behind a reverse proxy.

If we visit a page that does not exist. We see that the web server is running apache.

But if we view the header of the request it says nginx.
me ---> nginx (port 8003) ---- > apache (port 80)
Let's try some obvious ones as IP:
```
127.0.0.1
my remote ip
0.0.0.0
54.166.0.85 (ip of ritsec website)
```
None of these worked.... Bruteforce is not a option as we don't know in which range the ip is located.
### Wild idea: Spoofing The X-Forwarded-For (XFF) HTTP header field
I tried to add a header field with a custom IP to see if we can spoof remote address. This did not work and I never expected it to work.
```
X-Forwarded-For: 127.0.0.1
```
### Thinking outside the box: Exploiting another challenge
Remember how we had command injection in Lazy Dev. We know the setup of the CTF should be very similar.
```
curl -d "" -X POST http://fun.ritsec.club:8007/devsrule.php?magic=php://input
```

Remote address of lazy dev is `10.0.10.254`.
Maybe it's the same for Archivr.

Yaayy! We've found something. Instead of a 404 we get a forbidden (403).
## Create a payload
payload.php
```php