This is one of the CTFs that start the year and took place on 20th Jan 2022 and ended on 21st Jan 2022. It was a jeorpady style CTF.
This was my first international CTF and I belonged to the team:
I decided to tackle the web category and was able to do at least three of the eleven challenges which was not impressive(Will do better captain @Winter XD). Hope I will solve more challenges in upcoming events.The challenges required at least some knowledge in PHP and were :
- Find Pass Code -1.
This challenge required a pass code to get the flag. However this was not the case.
On interacting with the page, I tried different words and numbers but kept getting the same thing on every occasion.
When viewing the source code, this came up.
<div class="title-text">Welcome to Pass Code Verification</div><br>
<!-- Hi Serafin, I learned something new today.
I build this website for you to verify our KnightCTF 2022 pass code. You can view the source code by sending the source param
-->
<form action="" method="POST">
<label>Pass Code</label>
<input class="form-control" type="text" placeholder="Enter Pass Code" name="pass_code">
<input class="form-control" type="submit" value="Verify" />
</form>One of the site’s builders left a note to their partner advising them that to view the original source code they had to send the source parameter. We do exactly that →http://find-pass-code-one.kshackzone.com/?source. This brings us to this which explains why I kept getting the wrong pass code error.
The PHP code compares the pass_code we enter to $flag by using strcmp(). SYNTAX: strcmp( $string1, $string2 ) where $string1 and $string2 are the strings to be compared.
Return Values: strcmp() returns a random integer value depending on the condition of the match, which is given by:
- Returns 0 if the strings are equal.
- Returns a negative value (< 0), if $string2 is greater than $string1.
- Returns a positive value (> 0) if $string1 is greater than $string2.
After a bit of research, it seemed that strcmp() had some issues when comparing a string to something else. In PHP, a variable is considered to be null if:it has been assigned the constant null, it has not been set to any value yet. So NULL == 0 . If we could make strcmp() result be NULL will bypass it. We give post request like this pass_code[]=lol then the $pass_code becomes an array. Now comparing this, instead of throwing an error, it returns NULL and in PHP NULL == 0, which means string comparison passed and we got the flag :)
2. Most Secure Calculator -1.
The calculator works like a normal calculator. On viewing the source code, something interesting came up.
<!--
Hi Selina,
I learned about eval today and tomorrow I will learn about regex. I have build a calculator for your child.
I have hidden some interesting things in flag.txt and I know you can read that file.
-->The author of the website used EVAL!!!. I consider and many consider it as dangerous if implemented carelessly. What eval() function does is it evaluates a string as phpcode. For it to work the string must be valid php code. For example the code below:
<?php
$command = ‘echo “Hello” ;’;
echo” eval($command)”;
?>
eval() will carry out $command variable as long it is valid php code. I’m assuming the calculator takes input from the user and stores it in a variable and eval() carries out the operation and results echoed out. To read the flag.txt file I use readfile(“flag.txt”) as input which gives me the flag.
3. My PHP site.
Local file inclusion(LFI) came into my head on seeing the url. →http://137.184.133.81:15002/?file=index.html
A Local File Inclusion can occur when an application includes a file as user input without properly validating it. This flaw enables a person to include malicious files by manipulating the input. If there is improper input sanitization, an attacker can easily modify the input and manipulate the application into accessing unauthorized files and directories from the host server by using the “../” directive. This is known as Directory or Path Traversal.
I started working on manipulating the input to:
http://137.184.133.81:15002/?file=../index.html
Which brought this error that helped a lot.
I could read the PHP code of the file by using a PHP filter that would encode the whole page in base64 and then decode it.
php://filter/convert.base64-encode/resource=
http://137.184.133.81:15002/?file=php://filter/convert.base64-encode/resource=index.php
The output was:
PD9waHAKCmlmKGlzc2V0KCRfR0VUWydmaWxlJ10pKXsKICAgIGlmICgkX0dFVFsnZmlsZSddID09ICJpbmRleC5waHAiKSB7CiAgICAgICAgZWNobyAiPGgxPkVSUk9SISE8L2gxPiI7CiAgICAgICAgZGllKCk7CiAgICB9ZWxzZXsKICAgICAgICBpbmNsdWRlICRfR0VUWydmaWxlJ107CiAgICB9Cgp9ZWxzZXsKICAgIGVjaG8gIjxoMT5Zb3UgYXJlIG1pc3NpbmcgdGhlIGZpbGUgcGFyYW1ldGVyPC9oMT4iOwoKICAgICNub3RlIDotIHNlY3JldCBsb2NhdGlvbiAvaG9tZS90YXJlcS9zM2NyRXRfZmw0OS50eHQKfQoKPz4KCjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJlbiI+CjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wIj4KICAgIDx0aXRsZT5UYXJlcSdzIEhvbWUgUGFnZTwvdGl0bGU+CjwvaGVhZD4KPGJvZHk+CjwvYm9keT4KPC9odG1sPgo=
In my terminal:
This revealed the location of the flag and heading to→http://137.184.133.81:15002/?file=s3crEt_fl49.txt gave me the flag
KCTF{L0C4L_F1L3_1ncLu710n}.
It was fun and also frustrating especially working out the srcmp() vulnerability. I and my team hope to do better. Long live team fr334aks and fr334aks-mini.Thanks to KnightCtf for the event. https://knightsquad.org/
PARSZ.
