SignStealingSoftware-P2Web Exploitation ·
We are now in the system! Looks like the developers are still there, now we just need to find the key so we can create more user accounts, so our team can steal all the signs! http://18.104.22.168:8081
A web exploitation challenge in UMDCTF, where we placed 1st internationally. Shoutout to the University of Maryland for hosting such a fun event :)
When we login into the given domain, we can immediately spot an LFI vulnerability in the way the presented gifs are being loaded:
As a result of the LFI, we have the ability to view a file’s content, but we don’t have the ability to locate files that we seek in the system. We thought of 2 different possible approaches: A. find a vulnerability in the source code B. leak information about the system in common files and try to navigate to the flag
First of all, we checked how the source code works. Assuming this is a typical PHP page when querying for
index.php we get the following result:
Erm, nothing interesting… We did try to find an
RCE vulnerability in the PHP function
get_file_contents, and to load our own URLs but all of these ideas failed. Well, now for the approach that worked for us, option B.
When querying for
./../../../../etc/passwd, one cat spot the existent of a few different user accounts. One of them, suspiciously, is called
All of a sudden, we had an “Aha!” moment; let’s revisit the challenge description: “We are now in the system! Looks like the developers are still there” That must be the developers’ user! We immediately checked if a git repo exists in the
gitserver user’s home folder by querying for
./../../../../home/gitserver/.git/HEAD. At this point we looked for common files that exist in the
.git directory. There is a writeup of web2_200 in nullconCTF 2018, contains useful common file paths in the .git directory, one of which is
.git/logs/HEAD which is responsible for useful log info – such as commits.
After performing some research, an idea struck our minds – the flag might be in a commit’s comment! We checked the log file’s contents (
VU1EQ1RGLXtZbzBfS04wd19UaDNfTjNYdF9wMXRDSH0= is valid base64! We can execute the following command :
echo 'VU1EQ1RGLXtZbzBfS04wd19UaDNfTjNYdF9wMXRDSH0=' | base64 -d.