June 30, 2016 Karn Ganeshen

Exploit Exercises – nebula level09

Exploit Exercises – nebula level09


flag09 reads the file supplied as arg1. We also need to supply a second arg but it is not used. If we do not supply arg2, an error is thrown but file specified by arg1 is still read.


After trial & error, found the correct syntax that flag09 accepts.
    [email $phpinfo()]
This makes flag09 treat the phpinfo() as a valid variable – but throws an error.

Success – 0.1 – found correct syntax to get phpinfo() executed ->
    [email {${phpinfo()}}]


Success – using php’s exec() method to execute getflag/id
    [email {${exec(id)}}]


Tagged: ,

Leave a Reply

Your email address will not be published. Required fields are marked *