BambooFox CTF 2021

This was a great CTF! Tried the web challenges and I think I did better than last time haha. Managed to complete 1 challenge by myself with no hints! It was similar to what I attempted on TetCTF but with a little tweak and different method. So… yeah I am happy with myself LOL!

You may find my local testing script here:

Challenge 1: ヽ(#`Д´)ノ (Didn’t solve this one)

Source Code

There are many weird ass symbols there, so rewriting the code, we get something like this:

Check 1 (strlen)
Check 2 (preg_match)
VULNERABITITY!!!!

First, we will be exploiting the very famous PHP Type Juggling exploit.

//a check is done on $a to ensure that it is shorter than 10
strlen($a=$_GET['cmd'])

Usually the server will be expecting a string type input. However, if we supply ‘cmd’ as an ARRAY like this:

http://www.test.com/?cmd[]=1

strlen will not be able to be executed properly. And this will return null, allowing us to bypass the check. Likewise, with this, we will be able to bypass the second check by preg_match!!

Next, lets analyse how we can exploit the vulnerability! The function print_r($a,1) outputs something like this:

The exploit works something like an sql injection where we end the code prematurely! By ending the php file prematurely, we can add our payload.

Payload = cmd[$a]=1)?><?php print `ls` ?>

The brackets behind ‘1’ is to end the print_r statement. The ‘?>’ behind will end the php file! Then we add our payload behind in a php script ‘<?php command_like_this ?>’

Command Execution (Cool shit!)
On CTF Server
Final flag!!!

Side note: If you find some trouble trying to send a GET request with this parameter:ヽ(#`Д´)ノ

Do a URL encode on cyberchef:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store