Brick by Brick
umasscybersec
Task: a PHP site exposed internal docs in robots.txt and a vulnerable ?file= reader under /internal-docs/. Solution: path traversal disclosed source files, revealing the hidden admin dashboard, default credentials, and the hardcoded flag.
$ ls tags/ techniques/
Brick by Brick — UMass Cybersecurity CTF
Description
Organizer description was not preserved in the local task files.
English summary: a PHP website exposed internal documentation via robots.txt. Those documents described a file-read endpoint that could be abused with path traversal to read application source code, discover a hidden admin dashboard, and recover both credentials and the flag.
Analysis
The main clue was robots.txt, which pointed to /internal-docs/. One internal document described a file read feature that accepted ?file=.
Reading index.php showed the server prepended /var/www/html/ to the user-controlled filename and only blocked inputs starting with /etc/passwd. Because the application did not canonicalize the path, traversal sequences such as ../ still worked, giving a local file inclusion / arbitrary file read primitive.
Using that primitive on config.php revealed the hidden route /dashboard-admin.php. Reading that file then exposed default credentials administrator / administrator and the same flag constant returned after login.
Solution
- Request
robots.txtand discover/internal-docs/. - Read the internal documentation and identify the vulnerable
?file=endpoint. - Use traversal to read
index.phpand confirm weak blacklist-based filtering. - Read
config.phpto recover the hidden admin dashboard path. - Read
dashboard-admin.phpto obtain the default credentials and the flag constant. - Log in with
administrator / administratorand retrieve the flag from the dashboard.
...
Permission denied (requires auth)
Sign in to read this free writeup
This writeup is free — just sign in with GitHub to read it.
$ssh [email protected]