hack you 2014 CTF Writeup – Winning PHPwning Web400 the Wrong Way

This is a story about how I won hack you 2014’s Web 400 challenge the wrong way.


Using only this part of the code I was able to get the key:

include 'config.php';
include 'classes.php';
$action = (isset($_REQUEST['action'])) ? $_REQUEST['action'] : 'View';
$param = (isset($_REQUEST['param'])) ? $_REQUEST['param'] : 'index';
$page = new $action($param);
echo $page;

thought the correct answer had to do with using an internal PHP class and passing it a single argument.

So I searched through the PHP docs for a class with the following:

  • valid/useful toString method
  • requires only one input
  • native on all PHP installs

After my eyes starting bleeded I had two pretty usable internal classes:

With SplFileObject I can read the first line of any file I specify – which is pretty neat but turned out to be unneeded. As it turns out GlobIterator was good enough to win this challenge.

After doing the following I found the key just sitting in the root directory (waiting for me, daww):


Which gave me:


But why?

GlobIterator will return the first file in a directory if you just pass it a path as a single argument. This is neat because I can enumerate all files in a directory by doing:*&action=GlobIterator*&action=GlobIterator*&action=GlobIterator


Until I find all files in a directory.

I didn’t have to actually write that script because ASCII ‘C’ was first before other files so it just worked with “param=/*”

There’s probably a lesson here about unintended features or something but I’m too tired to think of it.

It was only afterwards that I was told this wasn’t the actually way to do it. Oops!

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.