Description
http://111.186.59.2:50080
http://111.186.59.2:50081
http://111.186.59.2:50082
The three servers are the same, you can choose any one. server will be reset every 10 minutes.
this chall is almost same https://blog.orange.tw/2018/10/hitcon-ctf-2018-one-line-php-challenge.html
.
<?php
($_=@$_GET['yxxx'].'.php') && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__) && include('phpinfo.html');
but some code is different, we need to find new exploit
We can upload arbitrary session file using PHP_SESSION_UPLOAD_PROGRESS and include session file using various wrapper.
But in this chall, we need to bypass .php
, so we can imagine 2 ways for bypass.
1. phar wrapper
2. zip wrapper
First i use phar wrapper. but it's impossible!
https://stackoverflow.com/questions/59302726/include-php-phar-without-phar-extension
Then, Maybe we can use second way for exploit.
https://github.com/p4-team/ctf/tree/master/2016-04-15-plaid-ctf/web_pixelshop
by accident, i found this writeup and it has very useful information.
zip file is not required for starting with PK signature.
If we define proper offset for the zip file, there is no need to start with zip file signature at start of file.
And we can simply calculate the ZIP offsets by hand!
we need to change two offset in zip.
just change Local Header Offset
in Central Directory File Header
and Central Header Offset
in End of Central Directory Record
.
These offsets specify the starting location of the header of the zip file. So we can unzip our payload independent of session prefix.
On server session.upload_progress.cleanup
is enable. so we need to using race condition.
then we can get flag!
My exploit :
https://gist.github.com/as3617/50d598ede736d81bc57804e4d19700e5
'ctf writeup' 카테고리의 다른 글
SSTF 2021 - poxe_center writeup (0) | 2021.08.17 |
---|---|
IJCTF 2021 Memory (0) | 2021.07.25 |
zh3r0 CTF v2 Web writeup (1) | 2021.06.06 |
m0leCon 2021 Teaser Writeup (0) | 2021.05.18 |
DarkCON ctf web writeup - VKL_SQL (0) | 2021.02.21 |