This challenge was a little blog about technology, with very few content.



Looking at the source code, we can see static files are in files/images/. Just get a look to files/ directory. There is a flag directory!
Be sure there is something like a flag.txt or flag.jpg in it. But we don't have the permission to read what's in.



Looking closely to the source code, we can view that there is an image called by a script "images.php". Interesting, maybe it has the permission to read in the flag directory. Just try it.

http://ctf.sharif.edu:31455/chal/technews/6ebb0f4f44b73fb0/images.php?id=files/flag/flag.txt



It seems it doesn't accept files our file. Let's trying to use php filter to see if we can retrieve content from a file.

http://ctf.sharif.edu:31455/chal/technews/6ebb0f4f44b73fb0/images.php?id=php://filter/convert.base64-encode/resource=files/images/heart.jpg

It returns our image, but not the b64 string of it. Strange behavior. After some test, we saw that it seems to retrieve the content of the resource with a regex to avoid us to use a php filter. It seems there is something about it! Just to try, I tested the following :

http://ctf.sharif.edu:31455/chal/technews/6ebb0f4f44b73fb0/images.php?id=php://abcdresource=files/flag/heart.jpg



It still display our image, so I imagined it's using a regex like ^php://.*resource=(.*)$ and inject the capture into the variable that manage the file that will be loaded.

So, we're trying to espace this regex and try
http://ctf.sharif.edu:31455/chal/technews/6ebb0f4f44b73fb0/images.php?id=php://abcdresource=files/flag/heart.jpg/resource=index.php



It tells us that is not a valid image... it's a good sign! Just use curl to have the result instead of an interpretation from the browser.

Now we can load file we want, just trying with flag.txt
http://ctf.sharif.edu:31455/chal/technews/6ebb0f4f44b73fb0/images.php?id=php://abcdresource=files/flag/heart.jpg/resource=files/flag/flag.txt



And now, we're getting the flag!