Monday, March 12, 2018

N1CTF 2018 - Funning eating cms

a strange online reservation system for restaurants, please hacking it


This challenge told us little, just said it was to hack a restaurant website.

Upon accessing the link, he showed us the following page:

alt text

By logging in we are redirected to another page:

alt text

alt text

Here we can see what would be the first vulnerability found, an LFI in user.php?page=.

alt text

alt text

Ok, the guest file did not give us much information, so I went after other files:

alt text

alt text

Now, from this code, we have already been able to go to other files that were not in our view.

alt text

alt text

In this function.php file, it is good to point out some things that are being done: we have two types of filters blocking some words, like manage, flag and ffffllllaaaaggg, so we can not access these files by lfi casual.

Doing small tests to see if we get anything, we had a good answer in the info file:

alt text

We find a hint that we already know exists.

Well, we’ve got everything we wanted right now, we need to move up the search and find a bypass to access files that were blocked at first.

The filter of the url is being done with the help of the parse_url and parse_str function, but this function has a weakness, when we add more (/) bars in the url, we are able to make the function parsing correct and therefore does not read the entire url:

alt text

alt text

We found another file that was not in our view, looking for it in lfi and seeing its contents, we see that it is doing the include of a template. So this means that the file is something that can be manipulated by the user.

alt text

alt text

Entering the page, we have a form to send files.

alt text

Checking the code that we had already obtained, I did not see any entries for files, so I opened the source and found the upllloadddd.php file.

alt text

alt text

By doing a little analysis in the code, we were able to highlight two things for the bypass:

1.It is using the system function with a concatenation without filters, this gives us the possibility of a RCE.

alt text

2.It is checking the extension of our file, so we need a way to send an extension.

alt text

The easiest way I thought of bypassing was by using a # comment and passing the extension right after:

alt text

After a few attempts looking at all these files listed, I thought maybe the flag was in the database, so I went behind the contents of the config.php file.

alt text

I used the mysql credentials of the config.php file to log into mysql and dumped the contents of the database.

alt text

alt text

alt text

I found many users and nothing flag, so I thought the obvious, look for the flag in the system.

alt text

We find the flag :).

alt text

So I came across that we could not use / :P

But it does not matter, we can use cd.

alt text

Capture the Flag , Web , Writeup