Sunday, September 6, 2015

MMA 1st CTF 2015 - Uploader (100)


This was one I went back and forth to. The CTF had a few LFI vulnerabilities featured in their challenges. This was purely focused on one.
The Description looked something like this:

This uploader deletes all /<\?|php/. So you cannot run php.

http://recocta.chal.mmactf.link:9080/
http://recocta.chal.mmactf.link:9081/ (Mirror 1)
http://recocta.chal.mmactf.link:9082/ (Mirror 2)
http://recocta.chal.mmactf.link:9083/ (Mirror 3)
You can only upload files whose name is matched by /^[a-zA-Z0-9]+\.[a-zA-Z0-9]+$/.


So it sanitizes the content of your upload by stripping "php" & "?". This makes it so you cannot do "<php" or "<?" to start php interpretation.

At first I tried a few different variations on those beginning tokens, with spaces, escapes & html codes etc.

If you look up beginnings for php, you'll find a special one written in html: https://wiki.php.net/rfc/remove_alternative_php_tags

So now we can write a file such as this:
<script language=php> echo "testing"; </script>
Looks like the file didn't parse correctly, but it also looks like it stripped php, just like the regex shows.

Let's try capitalizing it so it reads:
<script language=PHP> echo "testing"; </script>

Sure enough, we upload this, and it works!

Now we need to do something more important with the payload we upload. Let's try finding the flag! Grep should do the trick!
<script language=PHP> echo system("egrep -rnis 'MMA\{' /"); </script>

Using 'MMA{' as the prefix to the flag seemed like a safe bet, searching all files starting from root.

/flag:1:MMA{you can run php from script tag} /flag:1:MMA{you can run php from script tag}

Flag: MMA{you can run php from script tag}