Categories
UMD CTF Web Exploitation

“SignStealingSoftware-P2”

Challenge Problem :

“We are now in the system! Looks like the developers are still there, now we just need to find the key so we can create more user accounts, so our team can steal all the signs! http://159.89.228.183:8081

When we login into the given domain, we can immediately spot an LFI vulnerability in the way the presented gifs are being loaded

As a result of the LFI, we have the ability to view a file’s content, but we dont have the ability to locate files that we seek in the system.
We thought of 2 different possible approaches:
A. find a vulnerability in the source code
B. leak information about the system in common files and try to navigate to the flag

First of all, we checked how the source code works. Assuming this is a typical PHP page when querying for index.php we got the following result >>>>

Erm, nothing interesting… We did try to find an RCE vuln in the PHP function get_file_contents, and to load our own URLs but all of these ideas failed. Well, now for the approach that worked for us, option B.

When querying for ./../../../../etc/passwd, one cat spot the existent of a few different user accounts

<<< One of them, suspiciously, is called “gitserver”

All of a sudden, we had an “Aha!” moment; let’s revisit the challenge description: “We are now in the system! Looks like the developers are still there” That must be the developers’ user! We immediately checked if a git repo exists in the gitserver user’s home folder by querying for ./../../../../home/gitserver/.git/HEAD

At this point we looked for common files that exist in the .git directory. There is a writeup of web2_200 in nullconCTF 2018, contains useful common file paths in the .git directory, one of which is “.git/logs/HEAD” which is responsible for useful log info – such as commits.

After performing some research, an idea struck our minds – the flag might be in a commit’s comment! We checked the log file’s contents (./../../../../home/gitserver/.git/logs/HEAD )

Aha! VU1EQ1RGLXtZbzBfS04wd19UaDNfTjNYdF9wMXRDSH0= is valid base64!

We can execute the following command : echo 'VU1EQ1RGLXtZbzBfS04wd19UaDNfTjNYdF9wMXRDSH0=' | base64 -d

It will print out our flag :

UMDCTF-{Yo0_KN0w_Th3_N3Xt_p1tCH}

Leave a Reply

Your email address will not be published. Required fields are marked *