The challenge starts at https://tiktok.domectf.in/dashboard/login.php.
It will welcome you with a login page. The login page uses Php strcmp() function to check the password. It can be bypassed by capturing the request with ZAP/Burp and replacing the firstname.lastname@example.org&pass=abc with email=admin&pass=abc.
If we navigate to https://tiktok.domectf.in/dashboard/icons.php, there are a lot of icons present there. Checking the source of this page shows us that one of the icons is an image.
The src value of the image contains two GET parameters “c” & “i”. The C parameter represents the time and the “i” parameter represents the hex value of the file. The “i” parameter has a LFI vulnerability. In order to exploit that we need to input current time to the “c” parameter. To do this process you need to write a script.
Using this script you can inject payload “../../icons.php” and retrieve source code of the php file. Inspecting the source code of the icons.php, we can find that it is calling another php file image_xscdxhhgko.php.
Retrieving the source code of the image_xscdxhhgko.php helps us to determine what’s going on in the backend.
In that php file there is a python file that is executed. The python code uses input() function to input value (It can be obtained by crashing the python code). The following payload is used for exploiting: