+++ author = "Maik de Kruif" title = "Challenge 22 - AdventOfCTF" date = 2021-03-04T01:24:34+01:00 description = "A writeup for challenge 22 of AdventOfCTF." cover = "img/adventofctf/6c0810c1568645bcf58da67a1db6e3e7.png" tags = [ "AdventOfCTF", "challenge", "ctf", "hacking", "writeup", "web", "php", "ssrf", ] categories = [ "ctf", "writeups", "hacking", ] +++ - Points: 2200 ## Description We have a new service! You can view santa's favorite pictues. Currently there is only one, but it is a very good one! You can get the flag through flag.php. Visit https://22.adventofctf.com to start the challenge. ## Recon Upon opening the challenge website, we're greeted with a link with the text "Is this santa?". If we click on it, it redirects to `/index.php?image=cat.jpg`. This page shows us a nice picture of a cat. ## Finding the vulnerability When looking at this, you might think of Local File Inclusion (LFI). This makes sense as it is one of the most common vulnerability in opening files. We can try to use it to open `flag.php`. To try this, let's replace `cat.jpg` with `flag.php` in the URL. When opening the page, we will see a broken image, this is expected as the file it not an image. If we open the source we find the following: ```html ``` Here we see some `base64` encoded data, let's decode it using the following command: ```bash echo -n "PD9waHAKCmluY2x1ZGUoInNlY3JldC5waHAiKTsKCmlmIChzdHJwb3MoY2hlY2tfc2VjcmV0KCksICJhbGxvdyIpICE9PSBmYWxzZSkgewogICBlY2hvIGdldF9mbGFnKCk7IAp9Cgo/Pgo=" | base64 -d ``` ```php ``` If we look at this code, we see that if `check_secret()` contains `"allow"`, it will execute the `get_flag()` function (which will probably give us the flag). The functions are not defined in this file so they probably come from `secret.php`. Let's try to read that file. Alas, we get the cat picture again. That's weird. There might be a filter on the input. Let's verify that by reading the `index.php` file. Using the same decoding method, we get the following result: {{< code language="php" title="index.php" >}} ```html
The Advent of CTF is brought to you by NOVI Hogeschool. It is built by @credmp. If you are looking for a Dutch Cyber Security Bachelor degree or bootcamp, check us out.