This challenge used 2 GET parameters: action and param. Given the source code, action is used as class name and param as its argument to the constructor. Now, listing all php standard classes with:

php -r 'var_dump (get_declared_classes ());'

we can see which one can allow us to read file or maybe execute commands: “GlobIterator” one seems ok. Reading from php.net it iterates trought file system similar to glob() this mean we can use wildcard ‘*’ for our own proupose. So lets try it:

http://hackyou2014tasks.ctf.su:40080/index.php?action=GlobIterator&param=/C*

This will give return us a class GlobIterator("/C*") which the result is echoed at the end.

Output: CTF{42a38432d46b9054004a7a87fd3140c7}

Razor4x