# Debugger

### <mark style="color:blue;">Challenge Description</mark>

<div align="left"><figure><img src="/files/caTYhMpltc0wUV1c4GAG" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/Aig7wabL4xhjvQVj3K7L" alt=""><figcaption></figcaption></figure></div>

let's take a look at the source code of the page

<div align="left"><figure><img src="/files/Q6wRPZQuqxebwGRV6ogV" alt=""><figcaption></figcaption></figure></div>

and if we use this seach parameter we can view the source code of the page

<div align="left"><figure><img src="/files/NlHcmheJUmO4gmfjQLVW" alt=""><figcaption></figcaption></figure></div>

**php code :**&#x20;

```php
<?php
            define("LOADFLAG", true);
            error_reporting(0);
            function get_debug_info($filters) {
                ob_start(); phpinfo(); $pi = ob_get_contents(); ob_end_clean() ;
                $debug = array();
                foreach(explode(PHP_EOL, $pi) as $line) {
                    if(strstr($line, $filters)) {
                        array_push($debug, $line);
                    }
                }
                return $debug;
            }
            if(isset($_GET['action']) && $_GET['action']=="debug") {
                $is_admin = $_SERVER['REMOTE_ADDR'] == "127.0.0.0" ? 1 : 0;
                $debug_info = get_debug_info(extract($_GET['filters']));
                if($is_admin) {
                    echo implode($debug_info, '\n');
                } else {
                    echo("Only local admins are allowed to debug!");
                }
                include_once "flag.php";
            }
            if(isset($_GET['action']) && $_GET['action']=="src") {
                highlight_file(__FILE__);
            }
            // With <3 from @gehaxelt.
        ?>
```

this is a PHP script that performs debugging and potentially exposes sensitive information (flag) if certain conditions are met:

1. The URL parameter `action` is set to **"debug"** (`$_GET['action'] == "debug"`).
2. The client's IP address (`$_SERVER['REMOTE_ADDR']`) is **"127.0.0.0"** (localhost)

so we have to make sure that the conditions are met to solve the challenge and get the flag

send the request to repeater

<div align="left"><figure><img src="/files/lHRUvGa8VwpfrkRRIVFd" alt=""><figcaption></figcaption></figure></div>

let's make the first condition true by making the action="debug"

<div align="left"><figure><img src="/files/a46NvG2cVvE4QYv5DQXP" alt=""><figcaption></figcaption></figure></div>

in the php code we had this if the second condition is false this message is shown "Only local admins are allowed to debug!"

```php
if($is_admin) {
   echo implode($debug_info, '\n');
} else {
   echo("Only local admins are allowed to debug!");
}
```

now we have to make the condition $is\_admin true

```php
if(isset($_GET['action']) && $_GET['action']=="debug") {
                $is_admin = $_SERVER['REMOTE_ADDR'] == "127.0.0.0" ? 1 : 0;
                $debug_info = get_debug_info(extract($_GET['filters']));
                if($is_admin) {
                    echo implode($debug_info, '\n');
                } else {
                    echo("Only local admins are allowed to debug!");
                }
                include_once "flag.php";
            }
```

`extract()` function is used in a way that could potentially lead to security vulnerabilities, as it extracts variables from an array based on user input. In this case, the code attempts to extract variables from `$_GET['filters']`, which can allow an attacker to manipulate variables and potentially change the value of `$is_admin`. Here's how it can be done:

When the URL parameter `filters` is set to something like `&filters[is_admin]=1`, it sets the `is_admin` variable to 1. This happens because `extract($_GET['filters'])` extracts the value associated with the key `'is_admin'` from the `$_GET['filters']` array and assigns it to a variable with the same name (`$is_admin`).

<pre><code><strong>http://52.59.124.14:10018?action=debug&#x26;filters[is_admin]=1
</strong></code></pre>

<div align="left"><figure><img src="/files/WpMSlCVc7NYvQ51bIiBU" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/DNe7lEl8E1LEo5FQQXtE" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Flag</mark>

```
ENO{N3ver_3xtract_ok?}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sayonara.gitbook.io/writeups/ctf/nullcon-hackim-ctf-goa-2023/web/debugger.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.