3KCTF-WRITEUPS(WEB)
3kCTF Write ups for web
Reporter
1 | Title: reporter |
In this challenge
We are greeted with a markdown to html converter and we can create a report.
My first thought’s were xss and i randomly tried a few payloads after reaching no where I decided to go through the source code(better late then never lol :P)
while going through the source i found that
when an image it provided rather than displaying it direclty it does anbase64_encode(fetch_remote_file($value))
of the img url
hmm SSRF..
so i set it up loaclly and started trying how to bypass fetch_remote_file
function which does quite a few checks
1 | function fetch_remote_file($url) { |
its using parse_url which we all know its xtremely buggy lol
so i could easily get an lfi using the payload http:a../../../../../../../etc/passwd
now i could read files and i tried reading http:a../../../../../../../var/www/html/secret-report/index.php
and stuff like that but did’nt get anything
so my next step was to get ssrf to read localhost files
but there is a check which prevents us to do a direct ssrf payload like http://127.0.0.1/sercre-report
So i started looking for alternatives and found that its checks basically work for only ipv4 why not do ssrf using an ipv6 ip
so i used http://[::ffff:7f00:1]/sercret-report
and was able to get the contents of sercet-report
there were 2 php files
now it was a simple matter of using the previous lfi to read them
payload-
1 | FLAG:3k{ssrf_bug_f068b29b58ccd0} |
I GOT FIRST BLOOD ON IT TOO :)
carthagods
1 | Author: rekter0, Dali |
The challenge provided a redacted source code
When we visited the page it seemed like a basic information providing site in which we had
several options like
1 | Baal -> /baal |
The server seems to be using mod_rewrite
accorind to the .htaccess
so from the source we can see that
1 | $file=$_GET[*REDACTED*]; |
there is a secret parameter and an file_get_contents() is being used on it.
So if we can find the secret parameter we have arbitary lfi
and since its using mod_rewrite
if we access http://carthagods.3k.ctf.to:8039/js
it will redirect us to http://carthagods.3k.ctf.to:8039/js/?eba1b61134bf5818771b8c3203a16dc9=js.
hence the parameter we are looking for is eba1b61134bf5818771b8c3203a16dc9
Next we need to read flag.php
but there is a check which checks if the file content includes <?php
.hmm
i was stuck here for quite some time
and then went back to basics and checked info.php phpinfo
and found its using opcache.
I remembered that in a previous ctf also we had used opcache to get a blacklisted file.
Now, i can realize there will be a cache file of flag.php
. And that will not contains <?php
(As the page was filtering that string, we need to bypass).
The next thing to do is to find the system_id
as the path to the opchache is/var/www/cache/{system_id}/var/www/html/<file>.bin
here i used the tool and was able to get the system idPayload: http://carthagods.3k.ctf.to:8039/?eba1b61134bf5818771b8c3203a16dc9=../../../../../
../var/www/cache/e2c6579e4df1d9e77e36d2f4ff8c92b3/
var/www/html/flag.php.bin
1 | flag:3k{Hail_the3000_years_7hat_are_b3h1nd} |