CTF Writeup: PHPSSS - Backup Logic Abuse & RCE

• Initial source code disclosure via a hidden zip file
• RCE due to insecure function calls
• Reverse shell for full control
• SUID binary analysis for privilege escalation
• Final flag extraction using Unix internals (/proc/self/fd)

Recon

To start the challenge, I ran a directory brute-force using Gobuster to identify hidden directories and files.

Upon navigating to http://127.0.0.1:8081, we are redirected to /login.php, suggesting a session-protected environment.

However, when intercepting the request to /, we noticed that the full page content is loaded first, and only then the redirect happens. This leak reveals a hidden message on the page.

The message revealed a hidden PHP file path:

/0xf4h1dd3nd1r3ctory.php

Source Code Analysis

Accessing the hidden PHP file gave us access to a downloadable backup.zip containing the full source code of the web app.

After unzipping it, we inspected the main logic in index.php: