We keep the flag secure. Secure!?.

Let’s check the website first.

We have two links. Let’s check both.

It looks we have Local File Inclusion (LFI) here. Let’s try to retrieve the source files for these two links. We will use php://filter for this task.

So, we don’t have anything interesting in this one. Let’s check the other one.

We don’t have anything good here either. Therefore, I decided to try Remote File Inclusion (RFI). We will try to upload the following php code:

First, we will base64 encode the code above.

Make sure the base64 encoded string does not include symbols ‘+’ or ‘/’ since they are interpreted by url parsers.

Now, we will use data:// wrapper to inject our shellcode.

It worked! We have the following files:

We know that privacy_locker.php and why_locker.php does not contain any useful information since we already got them using LFI. Let’s check the content of index.php this time.

Here we got the flag xiomara{[email protected][email protected][email protected][email protected][email protected]}.