BambooFox CTF 2021
This was a great CTF! Tried the web challenges and I think I did better than last time haha. Managed to complete 1 challenge by myself with no hints! It was similar to what I attempted on TetCTF but with a little tweak and different method. So… yeah I am happy with myself LOL!
You may find my local testing script here:
Contribute to cddc12346/RandomCTFs development by creating an account on GitHub.
Challenge 1: ヽ(#`Д´)ﾉ (Didn’t solve this one)
There are many weird ass symbols there, so rewriting the code, we get something like this:
First, we will be exploiting the very famous PHP Type Juggling exploit.
//a check is done on $a to ensure that it is shorter than 10
Usually the server will be expecting a string type input. However, if we supply ‘cmd’ as an ARRAY like this:
strlen will not be able to be executed properly. And this will return null, allowing us to bypass the check. Likewise, with this, we will be able to bypass the second check by preg_match!!
Next, lets analyse how we can exploit the vulnerability! The function print_r($a,1) outputs something like this:
The exploit works something like an sql injection where we end the code prematurely! By ending the php file prematurely, we can add our payload.
Payload = cmd[$a]=1)?><?php print `ls` ?>
The brackets behind ‘1’ is to end the print_r statement. The ‘?>’ behind will end the php file! Then we add our payload behind in a php script ‘<?php command_like_this ?>’
Side note: If you find some trouble trying to send a GET request with this parameter:ヽ(#`Д´)ﾉ