A thorough educative beating ………
Hello guys, Parsz here again. It’s another CTF, this time it’s DefCamp 2021–22. It took place from Friday the 11th 2022 to Sunday the 13th 2022. As you know I participated with my team…
Though we didn’t make it to the top 50 teams, it was a great learning experience and I would like to thank the DefCamp team for organizing the CTF.
I took the web category (Nothing beats web you know ;)). There were 5 in total web challenges and fortunately I was unable to solve them. I say fortunately because while trying to solve them I learned a couple of new things I wouldn’t have if I solved them.
Challenge: Para-code
We were given an Ip address and navigating to it we found…
This is the PHP source code of the page. What it does is that it includes a file called flag.php (I’m guessing the flag is there). Then the code takes a parameter known as “start” via GET method. Fast forward to the code down below and we see that it gets the length of the parameter and if it’s greater than four it won’t be executed and you’ll get Please enter a valid command. But before the parameter can be excuted it has to be checked against an array of illegal values if(strpos($_GET['start'], $blackItem) !== false). If the parameter is found, sorry nothing happens, else it is passed down for execution.
I start interacting with the parameter and get different outputs.
This one http://34.159.7.96:32210/?start=id gives out:
Another one http://34.159.7.96:32210/?start=cat+*
Due to bad luck, the array of illegal values and length makes it hopeless to do any meaningful thing. This is where I got stuck and after a sleepless night and unfruitful ventures I gave up and decided to wait for the writeups .
The write-ups came out and I was able to solve the challenge.
I used CryptoCat’s writeup on YouTube https://www.youtube.com/watch?v=vt71JJLmaVY
The solution was to use the two letter Linux command → m4.
Lucky for us m4 was not part of the illegal values.
M4
What exactly is m4? m4 is a macroprocessor. A macro processor scans input text for defined symbols — the macros — and replaces that text by other text, or possibly by other symbols. For instance, a macro processor can convert one language into another. m4 copies its input (from files or standard input) to standard output. It checks each token (a name, a quoted string, or any single character that’s not a part of either a name or a string) to see if it’s the name of a macro. If so, the token is replaced by the macro’s value, and then that text is pushed back onto the input to be rescanned. You can read more about m4 in: https://www.ibm.com/docs/zh/aix/7.2?topic=concepts-m4-macro-processor-overview.
We put m4+* as the value of our get parameter and voila!!! We get the flag.
Well i didn’t get the flag because the CTF was over. :)If you watch the writeup, you’ll cryptocat getting the flag. Keep reading.
But while researching on strpos() vulnerabilities, I learnt about double encoding . From cryptocat I learned about bash bypass restrictions from hacktricks.
Strpos() is actually vulnerable to double encoding.
Bash Bypass Restrictions
You can find them on hacktricks:
https://book.hacktricks.xyz/linux-unix/useful-linux-commands/bypass-bash-restrictions
Final words…
The thing here is that I learnt new things. That’s the ultimate goal of CTFs. I have added double encoding and bash bypass restrictons to my list of tools and will do more further research on them. Further thanks to team FR334AKS-MINI for their support. You can get them and me on twitter at https://twitter.com/_parsz and https://twitter.com/fr334aksmini. Long live team fr334aks-mini.
Till another CTF,
Parsz.
