[CSAW 2016] mfw Writeup

Standard

Description:

Hey, I made my first website today. It’s pretty cool and web7.9.
http://web.chal.csaw.io:8000/

 

Entering the site, the first thing that comes to mind is a LFI attack. The site is including a page which is requested in the URL.

The following table describes the possible respond pages:

URL Result
http://web.chal.csaw.io:8000/?page=home The “home” page is shown.
http://web.chal.csaw.io:8000/?page=about The “about” page is shown.
http://web.chal.csaw.io:8000/?page=contact The “contact” page is shown.
http://web.chal.csaw.io:8000/?page=Megabeets Just a message saying: “That file doesn’t exist!”
http://web.chal.csaw.io:8000/?page=flag An empty page is shown inside the website.
http://web.chal.csaw.io:8000/?page=../../../../etc/passwd Just a message saying: “Detected hacking attempt!”

Looking at the source code i saw the following comment:

Ok, I need to get the “flag” page but any LFI technique I tried didn’t work. I thought about something else, In the “about” page the creator of the site mentioned that it was built using git. So let’s see if I am able to download the repository. The page http://web.chal.csaw.io:8000/.git/config exists so I downloaded the repository using DVCS-RIPPER.

You can find index.php here.

So the page is using assert() which is vulnerable to Command Injection attack. After a little trial and error I came up with the answer:

And received the flag:

If you try entering the url in a browser, look in the source of the page (CTRL+U), the flag is commented.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *