1

I'm trying to make a ctf challenge involving local file inclusion.

With that in mind, I've recreated a "linux" like folder system with /etc/, /var/, /home etc ... because I use a free web hosting service.

In order to not look suspicious to the users I want to change just graphicly the URL to make it look like the user is at the root directory while he is indeed in an other subdirectory (also the user need to be able to include ../../etc/passwd). So far this is what I have :

RewriteEngine On
RewriteBase /folder1/folder2/

and this file is located in /folder1/folder2/, but it does nothing ...

Can someone help me?

PS : Sorry for my English.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
juneday
  • 41
  • 5

1 Answers1

0
RewriteBase /folder1/folder2/

By itself, the RewriteBase does not do anything. The RewriteBase directive overrides the base URL-path to be used in relative path substitutions in the RewriteRule directive. For example, given the following:

RewriteBase /folder1/folder2/
RewriteRule ^foo$ bar [L]

With the above, if you request /foo then the request will be internally rewritten to /folder1/folder1/bar because the substitution string bar is relative. This is the same as stating the following:

RewriteRule ^foo$ /folder1/folder2/bar [L]

That is all the RewriteBase directive does. You don't strictly need it here, but you can use it if you want to.

and this file is located in "/folder1/folder2/", but it does nothing ...

You need to target requests for the document root, so you can't put this .htaccess file in the /folder1/folder2/ directory - it simply won't do anything. A .htaccess file located at /folder1/folder2/.htaccess will only target requests to /folder1/folder2/ and all subdirectories thereof.

By the sounds of it you want to internally rewrite all requests from the document root to the /folder1/folder2/ directory - effectively hiding /folder1/folder2/ from the user.

For this you need to use something like the following in the /.htaccess file located in the document root:

RewriteEngine On

RewriteRule !^folder1/folder2 /folder1/folder2%{REQUEST_URI} [L]

The above rewrites any request that is not already for /folder1/folder2 to that subdirectory.

also the user need to be able to include ../../etc/passwd

I'm not sure how you are intending to "include" this, but if you are referring to client-side URL-paths then you should not use relative URL-paths like this. Use root-relative URL-paths eg. /etc/passwd (from the document root).

How to write a .htaccess that changes /folder1/folder2/ to /

Note that this .htaccess file does the complete opposite. It changes URLs that request / (the document root) to /folder1/folder2/ - which seems to be the requirement in your question. You need to have already changed /folder1/folder2/ to / in your internal links.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
  • Thank you a lot ! I'll try it out as soon as I can. Also I intend to include it with a simple "include $_GET['page'];" Hopefully this htaccess doesn't redirect includes to the subdirectory but only browser requests. – juneday Feb 18 '21 at 07:33
  • This will not redirect ordinary PHP includes (if that is what you are referring to). `.htaccess` works on HTTP requests. An ordinary PHP include is not an HTTP request. – MrWhite Feb 18 '21 at 10:16