Often the flag resides outside the document root (e.g., /home/ctf/flag.txt or /var/www/flag). In that case php://filter still works, you just need the full absolute path.
Find the path
php://filter/convert.base64-encode/resource=../../../../home/ctf/flag.txt
If the wrapper respects the real filesystem, the above will succeed.
Result: you get the Base64 flag and can decode it. Roughman Injection Rapidshare 1 =LINK=
The source code of rapidshare1.php is not directly available, but we can infer its behavior:
<?php
$link = $_GET['link']; // or $_POST['link']
$contents = file_get_contents($link); // fetches remote URL
echo "<pre>$contents</pre>";
?>
Why this is vulnerable:
Thus the injection point is the link parameter – we can inject a PHP stream wrapper to read arbitrary files. Often the flag resides outside the document root (e
The Roughman Injection – Rapidshare 1 challenge is a typical web‑application injection task. The goal is to retrieve a hidden flag (usually a string that looks like FLAG…) from a server that hosts a simple “file‑sharing” interface.
Key characteristics of the challenge:
| Aspect | Details |
|--------|---------|
| Category | Web – Injection (SQL / Command / File) |
| Entry point | A single HTTP GET/POST endpoint that accepts a “link” (or “url”) parameter. |
| Goal | Exploit the injection to read the contents of a protected file (e.g., flag.txt or /etc/passwd) that is otherwise inaccessible. |
| Typical flag format | FLAG… (or CTF…) |
| Restrictions | The service runs inside a sandbox with limited OS commands; no direct shell access. | php://filter/convert
Below is a step‑by‑step walk‑through of how the challenge can be solved, from initial recon to the final flag retrieval.
Below is a concrete set of steps that worked for the “Rapidshare 1” instance during the competition.