Write-Up Advent of CTF 2020 Challenge 22


The NOVI University Of Applied Sciences is offering an Advent CTF challenge for December 2020. The CTF is created by our community member of the and Chief Lecturer for Cyber Security at the NOVI University, Arjen Wiersma. If you want to participate in these CTF challenges, you can create an account on the website

Challenge 22

  • Description: We have a new service! You can view santa’s favorite pictures. Currently there is only one, but it is a very good one! You can get the flag through flag.php.
  • 2200 Points

Well, Santa got a new service! Viewing Santa’s favorite pictures, let’s check what’s his favorite picture. We visit the challenge URL We are ending up on this web page.

Advent of CTF Challenge 22 Start Page

We are have only a URL with the name Is this santa? Let’s check!

This is santa

Haha, Santa is adorable. For now, we’ve had enough fun, we need to complete this challenge. According to the URL, we can see te image parameter. This parameter is including the file image cat.jpg. From the previous challenge, we have some experience with file inclusion. We need to keep this in mind, it can be useful. Let’s start this easy by checking the source code. We can see that the image is not a standard URL, but a data URL.

<img src="data:image/jpeg:base64,(base64 string)

Source Code

From the description of this challenge, we know that the flag is in flag.php. Let’s try to include the flag in the image parameter. We are ending up with this URL:

No flag (yet)

Unfortunately the flag is not yet visible. More is needed to read the flag. We can see that there is sort of a file included in our request. When we are reading the source code, we can notice that there is again a data URL visible with a base64 encoded string.

After decoding this string, it’s revealing his contents.


 if (strpos(check_secret(), "allow") !== false) {
    echo get_flag(); 


From this file, we can see that the flag is protected by the file secrets.php. But, we are not allowed to include this file. If we try to include this file, we got redirected to the index.php. So, we need to find a way to get around this protection. If we try a path traversal attack to get the flag with this URL, the website is returning the error message: Warning: file_get_contents(../flag.php): failed to open stream: No such file or directory in /var/www/html/index.php on line 46.

file_get_contents error message

This message is an interesting one. It tries to include a file, but it’s not finding the file. This makes sense, because flag.php is probably in the current directory and not in a directory deeper. We are not authorized to call secrets.php directly. Let’s see if we can play a bit with the URL parameter image and if we can read the file secrets.php in a different way. After trying several URLs for a while I come up with the following payload for reading secrets.php:

Through the source code, I can see this data URL:


After decoding the base64 string, we get the flag!

~$ echo "Tk9WSXthc2tpbmdfZm9yX2FfZnJpZW5kfQ==" | base64 -d

Thanks for reading!

This post is licensed under CC BY 4.0 by the author.