Rating:
Firstly I stumbled upon a website with a /robots.txt file that revealed a .git directory.
Using the git-dumper tool, I was able to download all the directories and access the commits, logs, and branches in the .git.
However, analyzing the source code of the index file revealed a few interesting files, including /login.php and /admin.php.
After trying some LFI techniques on the PHP code, I was able to extract the source code of /login.php by encoding it in base64.
Now that we have LFI and can filter the source code, let’s analyze the other files in the previously dumped .git. First, let’s take a look at the exposed database, where we found the password and key for the administrator user.
In admin.php, a check is performed to verify if the user’s auth_token corresponds to the administrator user or not.
Further analyzing the PHP code, I discovered a variable called Secret_Key, which seemed to be used to verify the admin’s credentials.
The MD5 of the secret key concatenated with the first position of the token is equal to the second part of the token. This is how the application signs the token. Therefore, we need to filter the Secret_Key used by the application. By accessing the config.php file using LFI, I was able to extract the Secret_Key.
With this information, I was able to create a cookie for the admin that contained the user_key I found in the database
Combining this with the md5 hash of the Secret_Key and a JSON string in base64 format, I was able to generate a valid authentication cookie for the admin and gain access to /admin.php.
So now we can access to the admin panel and get the flag.