Brick by Brick
umasscybersec
Task: a PHP site exposed internal docs in robots.txt and a vulnerable ?file= reader under /internal-docs/. Solution: path traversal disclosed source files, revealing the hidden admin dashboard, default credentials, and the hardcoded flag.
$ ls tags/ techniques/
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Brick by Brick — UMass Cybersecurity CTF
Description
Organizer description was not preserved in the local task files.
English summary: a PHP website exposed internal documentation via robots.txt. Those documents described a file-read endpoint that could be abused with path traversal to read application source code, discover a hidden admin dashboard, and recover both credentials and the flag.
Analysis
The main clue was robots.txt, which pointed to /internal-docs/. One internal document described a file read feature that accepted ?file=.
Reading index.php showed the server prepended /var/www/html/ to the user-controlled filename and only blocked inputs starting with /etc/passwd. Because the application did not canonicalize the path, traversal sequences such as ../ still worked, giving a local file inclusion / arbitrary file read primitive.
Using that primitive on config.php revealed the hidden route /dashboard-admin.php. Reading that file then exposed default credentials administrator / administrator and the same flag constant returned after login.
Solution
- Request
robots.txtand discover/internal-docs/. - Read the internal documentation and identify the vulnerable
?file=endpoint. - Use traversal to read
index.phpand confirm weak blacklist-based filtering. - Read
config.phpto recover the hidden admin dashboard path. - Read
dashboard-admin.phpto obtain the default credentials and the flag constant. - Log in with
administrator / administratorand retrieve the flag from the dashboard.
...