Hack me has a lot of web challenges.
This one is called "Restrictions Bypass".
The description says it is a two step challenge.
The goal here is to find the key which is stored "inside" a file located in the same
directory as index.php.
Enter the key on /flag.php page to generate your unique flag.
Okay.
So let's get started.
So, when we start the challenge.
The index.php has a link to a text file called read_me.txt.
There is a hint which says to look at the URL.
Looking at the URL I quickly suspected it to be vulnerable to local file inclusion vulnerability
but when trying to load some files, it didn't work.
I tried PHP wrapper too but no luck.
But then I noticed something weird.
When trying to go back a directory including "read_me.txt", it showed open basedir
restriction error.
Author clearly didn't want us to just solve it in a fluke.
As you can see our input is going into readfile function.
Another weird behavior!
If we include read_me in the input it gives error but if no read_me is included then the
script simply dies outputting some text.
So here we can't use read_me.txt and append dot dot slash to go back a directory as the
path is blocked . So, I just removed ".txt" and loaded download.php.
Okay then, let's read the code.
So $file contains our input.
If the length of input is greater than 50 then the execution stops.
And $fileName consist the basename which basically is the text after the last slash.
And yeah here it is! read_me should be included otherwise the code stops executing.
After that our input goes into readfile function.
After that is the most important part.
The eval basically treats string as PHP code.
Here $fileName is written to stats.txt in stats directory.
So let's try exploiting this code.
Since whatever is after the slash is going into readfile.
Let's try balancing the quotes and inputting our payload.
So I balanced the first quote with a quote and then a closing bracket and a sign.
After that just code to print the files of current directory and then again balancing
the quotes and stuff.
If we look at the final query it looks something like this which gives no error and then everything
works fine.
And here we can see a file with .key extension where a secret text is hidden.
But printing the content of the file is difficult as we can only input 50 chars and using it
wholly would exceed that limit.
So since the file name is md5 encrypted it can be decrypted and then can be used.
After using its decrypted form we can get the key and then generate our flag.
Không có nhận xét nào:
Đăng nhận xét