+++ author = "Maik de Kruif" title = "Dubstep" subtitle = "Challenge 22 - AdventOfCTF" date = 2021-03-04T01:24:34+01:00 description = "A writeup for challenge 22 of AdventOfCTF." cover = "img/writeups/adventofctf/2020/6c0810c1568645bcf58da67a1db6e3e7.png" tags = [ "AdventOfCTF", "challenge", "ctf", "hacking", "writeup", "web", "php", "ssrf", ] categories = [ "ctf", "writeups", "hacking", ] +++ - Points: 2200 ## Description We have a new service! You can view santa's favorite pictues. Currently there is only one, but it is a very good one! You can get the flag through flag.php. Visit to start the challenge. ## Recon Upon opening the challenge website, we're greeted with a link with the text "Is this santa?". If we click on it, it redirects to `/index.php?image=cat.jpg`. This page shows us a nice picture of a cat. ## Finding the vulnerability When looking at this, you might think of Local File Inclusion (LFI). This makes sense as it is one of the most common vulnerability in opening files. We can try to use it to open `flag.php`. To try this, let's replace `cat.jpg` with `flag.php` in the URL. When opening the page, we will see a broken image, this is expected as the file it not an image. If we open the source we find the following: ```html ``` Here we see some `base64` encoded data, let's decode it using the following command: ```bash echo -n "PD9waHAKCmluY2x1ZGUoInNlY3JldC5waHAiKTsKCmlmIChzdHJwb3MoY2hlY2tfc2VjcmV0KCksICJhbGxvdyIpICE9PSBmYWxzZSkgewogICBlY2hvIGdldF9mbGFnKCk7IAp9Cgo/Pgo=" | base64 -d ``` ```php ``` If we look at this code, we see that if `check_secret()` contains `"allow"`, it will execute the `get_flag()` function (which will probably give us the flag). The functions are not defined in this file so they probably come from `secret.php`. Let's try to read that file. Alas, we get the cat picture again. That's weird. There might be a filter on the input. Let's verify that by reading the `index.php` file. Using the same decoding method, we get the following result: {{< code language="php" title="index.php" >}} ```html Advent of CTF 22

Advent of CTF 22

Your daily dose of CTF for December

The big reveal

Is this santa? '; } ?>

The Advent of CTF is brought to you by NOVI Hogeschool. It is built by @credmp. If you are looking for a Dutch Cyber Security Bachelor degree or bootcamp, check us out.

``` {{< /code >}} Just the PHP part: ```html Is this santa? '; } ?> ``` Here we see that we cannot get any file containing "secret". This means we have to find another way to get the flag. We see that this code is using the `file_get_contents()` function to open file. Let's have a look at the [PHP documentation for it](https://www.php.net/manual/en/function.file-get-contents.php). If we read a bit we find the following example usage: ```php ``` This means it can also open URLs and, since we control the input to the function, we have a Server-Side Request Forgery (SSRF) vulnerability. Let's try to use that to open the flag file. To test this, we can use the following input; `image=http://localhost/flag.php`. _Note: We can not use the `secret.php` file as any input containing "secret" is blocked._ We, again, got some base64 encoded data back, so let's decode it: ```bash echo -n "Tk9WSXthc2tpbmdfZm9yX2FfZnJpZW5kfQ==" | base64 -d ``` ## Solution We got the flag! It is `NOVI{asking_for_a_friend}`.