Want to run this Docker container locally?

 docker run -d -p 3444:80 --name ctf-php-filter --restart always joshbeck2024/ctf-php-filter

We are provided the source code, and we can see that:

Exploiting with php://filter

php://filter is a built-in PHP stream wrapper.

Think of it like this:

• PHP treats both as valid inputs to include().

  • A normal file path:

  index.php
  

  • —OR— A stream wrapper path:

  php://filter/...
  
  

This is a very common technique that allows for LFI (Local File Inclusion)

• We can read the php source code (base64 encoded) and view the flag by passing the correct php://filter resource location in as a GET parameter. (page=somevalue)

<http://sem2ctf.icsi.cyber:3444/?page=php://filter/convert.base64-encode/resource=index.php>

Copy that value, base64 decode, and you’ll find the flag in the php code.