{"id":1242,"date":"2015-09-23T02:18:47","date_gmt":"2015-09-23T00:18:47","guid":{"rendered":"https:\/\/0x90r00t.com\/fr\/?p=1242"},"modified":"2015-09-23T02:21:33","modified_gmt":"2015-09-23T00:21:33","slug":"ekoparty-pre-ctf-2015-web50-hackers-market-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2015\/09\/23\/ekoparty-pre-ctf-2015-web50-hackers-market-write-up\/","title":{"rendered":"[EKOPARTY PRE-CTF 2015] [Web50 \u2013 Hacker’s Market] Write Up"},"content":{"rendered":"

Description<\/h2>\n

Hacker’s market site is not ready but you can send us some comments!<\/p><\/blockquote>\n

<\/p>\n

Resolution<\/h2>\n

Nous voil\u00e0 devant un mignon petit site, avec des URLs toutes aussi mignonnes.<\/p>\n

Au 1er clic sur l’un des liens du site, on peut apercevoir dans notre barre d’adresse des param\u00e8tres int\u00e9ressants : \u00ab\u00a0index.php?p=pages\/login.tpl\u00a0\u00bb.<\/p>\n

Ici on pense tout de suite \u00e0 une faille include, on modifie le param\u00e8tre \u00ab\u00a0p\u00a0\u00bb pour y mettre \u00ab\u00a0login.php\u00a0\u00bb.<\/p>\n

Cela fonctionne du premier coup, nous r\u00e9cup\u00e9rons le code source de la page de login, cela veut aussi dire que ce n’\u00e9tait pas un include mais plut\u00f4t un file_get_contents(), sinon le code aurait \u00e9t\u00e9 ex\u00e9cut\u00e9 au lieu d’\u00eatre affich\u00e9.<\/p>\n

\r\n<?php\r\n\/\/ NULL Code Obfuscator\r\n\/\/ www.null-life.com\r\ninclude 'encoder.php';\r\n\r\nerror_reporting(0);\r\n\r\n$code =\r\n'm2lSp9NqH\/+GdlqrrV893KZUVeqfbhvj1VJbr9QpUq6XYgL7iydW0KJAIdupKALugXwF4IBrVdLbJlL0+C9Sr9IrF+KTZh6vzy9W0KJAIdupKBfik2YeqK80eK\/SL1Krgm4B\/NIvT6\/WUCLAoVspqIJuAfyFYADr1VJJhfgvUq\/SIF2vuy8R7pwvHOCGLxbmgWwe4IFqUvuaalL9l24er5lqC6+Te1L7mmYBr59gH+qce3iv0i9SoN0vVuSXdlKy0igA7pxrHeKtfxr\/rWAQ6Yd8Ee6GZh3h1TR4r9IvUquZaguvzy9VqMkFUq\/SLxvp0idW6p9uG+PSMk+y0igT659mHM+abhHkl30f7oBkF\/vcYBzmnWFVr9QpUquCbgH80jJPstIoE+ufZhyo2y8JhdIvUq\/SL1Kvl2wa4NIoTuubeVLsnm4B\/M8tE+OXfQavk2MX\/YYiAfqRbBf8gS1S\/Z1jF7LQbh7qgHtQsc58Bv2dYRWxhWoe49JrHeGXLk6ggXsA4JxoTK+3RD301S9cr9ZkF\/bSIVKojzNd65t5TKjJBVKv0i8Pr5djAerSdHiv0i9Sr9IvUuqRZx2v1TMW5oQvEeOTfAGy0G4e6oB7Uu6eagD732sT4ZVqAK3SfR3jlzJQ7p5qAPvQMU78hn0d4ZUxPefSfBzugi5OoIF7AOCcaEyvpX0d4ZUvEf2XaxfhhmYT44EzXeubeUyoyQVSr9IvD4WPLxfjgWpS9PgvUq\/SZxfulmoAp9VDHeyTexvgnDVS5pxrF\/fcfxr\/1SZJhY8=';\r\n\r\n$base = "\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65";\r\neval(NULLphp\\getcode(basename(__FILE__), $base($code)));\r\n\r\n?>\r\n<\/pre>\n
On peut voir que le fichier est encod\u00e9. Voyons voir la t\u00eate de la classe d’encodage en la r\u00e9cup\u00e9rant de la m\u00eame mani\u00e8re que la page de login :<\/p>\n
\r\n<?php\r\n\r\nnamespace NULLphp;\r\n\r\n$seed = 13;\r\nfunction rand() {\r\n    global $seed;\r\n\r\n    return ($seed = ($seed * 127 + 257) % 256);\r\n}\r\n\r\nfunction srand($init) {\r\n    global $seed;\r\n\r\n    $seed = $init;\r\n}\r\n\r\nfunction generateseed($string) {\r\n    $output = 0;\r\n\r\n    for ($i = 0; $i < strlen($string); $i++) {\r\n        $output += ord($string[$i]);\r\n    }\r\n\r\n    return $output;\r\n}\r\n\r\nfunction getcode($filename, $code) {\r\n    srand(generateseed($filename));\r\n\r\n    $result = '';\r\n    for ($i = 0; $i < strlen($code); $i++) {\r\n        $result .= chr(ord($code[$i]) ^ rand());\r\n    }\r\n\r\n    return $result;\r\n}\r\n?>\r\n<\/pre>\n
Le fichier a \u00e9t\u00e9 encod\u00e9 avec un code qui xor chacun de ses caract\u00e8res sur un rand() dont la seed est calcul\u00e9e en fonction du nom du fichier.
\nRien de bien exotique ici, il suffit de connaitre le nom du fichier qu’on veut d\u00e9coder pour le r\u00e9cup\u00e9rer en clair, sans autre modification.<\/p>\n
Pour voir le code de la page, on remplace le eval par un echo, et on d\u00e9code le tout avec :<\/p>\n
\r\n<?php\r\n$code =\r\n'm2lSp9NqH\/+GdlqrrV893KZUVeqfbhvj1VJbr9QpUq6XYgL7iydW0KJAIdupKALugXwF4IBrVdLbJlL0+C9Sr9IrF+KTZh6vzy9W0KJAIdupKBfik2YeqK80eK\/SL1Krgm4B\/NIvT6\/WUCLAoVspqIJuAfyFYADr1VJJhfgvUq\/SIF2vuy8R7pwvHOCGLxbmgWwe4IFqUvuaalL9l24er5lqC6+Te1L7mmYBr59gH+qce3iv0i9SoN0vVuSXdlKy0igA7pxrHeKtfxr\/rWAQ6Yd8Ee6GZh3h1TR4r9IvUquZaguvzy9VqMkFUq\/SLxvp0idW6p9uG+PSMk+y0igT659mHM+abhHkl30f7oBkF\/vcYBzmnWFVr9QpUquCbgH80jJPstIoE+ufZhyo2y8JhdIvUq\/SL1Kvl2wa4NIoTuubeVLsnm4B\/M8tE+OXfQavk2MX\/YYiAfqRbBf8gS1S\/Z1jF7LQbh7qgHtQsc58Bv2dYRWxhWoe49JrHeGXLk6ggXsA4JxoTK+3RD301S9cr9ZkF\/bSIVKojzNd65t5TKjJBVKv0i8Pr5djAerSdHiv0i9Sr9IvUuqRZx2v1TMW5oQvEeOTfAGy0G4e6oB7Uu6eagD732sT4ZVqAK3SfR3jlzJQ7p5qAPvQMU78hn0d4ZUxPefSfBzugi5OoIF7AOCcaEyvpX0d4ZUvEf2XaxfhhmYT44EzXeubeUyoyQVSr9IvD4WPLxfjgWpS9PgvUq\/SZxfulmoAp9VDHeyTexvgnDVS5pxrF\/fcfxr\/1SZJhY8=';\r\n\r\n$base = "\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65"; \/\/ base64_decode\r\necho(NULLphp\\getcode('login.php', $base($code)));\r\n<\/pre>\n
Ce qui nous donne la page en clair :<\/p>\n
\r\n<?php\r\nif (!empty($_POST['email']) && !empty($_POST['password'])) {\r\n  $email = $_POST['email'];\r\n  $pass = $_POST['password'];\r\n  \/\/ I can not disclose the real key at this moment\r\n  \/\/ $key = 'random_php_obfuscation'; $key = '';\r\n  if ($email === 'admin@hackermarket.onion' && $pass === 'admin') {\r\n    echo 'well done! EKO{' . $key . '}';\r\n  }\r\n  else {\r\n    echo 'Oh snap! Wrong credentials';\r\n  }\r\n}\r\nelse {\r\n  header('Location: index.php');\r\n}\r\n?>\r\n<\/pre>\n
Le flag est en clair dans un commentaire \\o\/ !<\/p>\n
Le flag est : EKO{random_php_obfuscation}<\/p>\n","protected":false},"excerpt":{"rendered":"
Description Hacker’s market site is not ready but you can send us some comments!<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,35,70],"tags":[89,90,54],"class_list":["post-1242","post","type-post","status-publish","format-standard","hentry","category-2015-fr","category-ctf-fr","category-ekoparty","tag-lfi","tag-obfuscation","tag-php"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=1242"}],"version-history":[{"count":3,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1242\/revisions"}],"predecessor-version":[{"id":1273,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/1242\/revisions\/1273"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=1242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=1242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=1242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}