Path Traversal on 4mN3s14 | CTF Player & Studenthttps://john-jkar.github.io/myblog/tags/path-traversal/Recent content in Path Traversal on 4mN3s14 | CTF Player & StudentHugoen-usFri, 27 Feb 2026 00:00:00 +0000Local File Inclusion (LFI) - CTF Writeuphttps://john-jkar.github.io/myblog/posts/lfi/Fri, 27 Feb 2026 00:00:00 +0000https://john-jkar.github.io/myblog/posts/lfi/<h1 id="alpaca-rangers--daily-alpacahack-write-up">Alpaca Rangers — Daily Alpacahack Write-up</h1> <p><strong>Category:</strong> Web <strong>Difficulty:</strong> Medium <strong>Topic:</strong> Local File Inclusion (LFI)</p> <h2 id="description">Description</h2> <blockquote class="blockquote-regular"> <p>Hero of Justice, Alpaca Rangers!</p> </blockquote> <p>We&rsquo;re given a PHP image viewer that loads files via a <code>?img=</code> GET parameter.</p> <h2 id="source-code-analysis">Source Code Analysis</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-php" data-lang="php"><span style="display:flex;"><span>$targetPath <span style="color:#f92672">=</span> $_GET[<span style="color:#e6db74">&#39;img&#39;</span>] <span style="color:#f92672">??</span> <span style="color:#e6db74">&#39;&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">str_starts_with</span>($targetPath, <span style="color:#e6db74">&#39;/&#39;</span>) <span style="color:#f92672">||</span> <span style="color:#a6e22e">str_starts_with</span>($targetPath, <span style="color:#e6db74">&#39;\\&#39;</span>) <span style="color:#f92672">||</span> <span style="color:#a6e22e">str_contains</span>($targetPath, <span style="color:#e6db74">&#39;..&#39;</span>)) { </span></span><span style="display:flex;"><span> $errorMessage <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;Invalid path.&#39;</span>; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">else</span> { </span></span><span style="display:flex;"><span> $contents <span style="color:#f92672">=</span> <span style="color:#f92672">@</span><span style="color:#a6e22e">file_get_contents</span>($targetPath); </span></span><span style="display:flex;"><span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span> $dataUri <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;data:&#39;</span> <span style="color:#f92672">.</span> $mimeType <span style="color:#f92672">.</span> <span style="color:#e6db74">&#39;;base64,&#39;</span> <span style="color:#f92672">.</span> <span style="color:#a6e22e">base64_encode</span>($contents); </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>The app tries to block path traversal by rejecting anything that:</p> <ul> <li>Starts with <code>/</code> or <code>\</code></li> <li>Contains <code>..</code></li> </ul> <p>However, it passes the raw user input directly into <code>file_get_contents()</code> — which in PHP supports <strong>stream wrappers</strong> like <code>php://</code>, <code>file://</code>, <code>http://</code>, etc.</p>