N1CTF 2018 - Funning eating cms
N1CTF - Funning eating cms
“a strange online reservation system for restaurants, please hacking it”
This challenge told us little, just said it was to hack a restaurant website.
Upon accessing the link, he showed us the following page:
By logging in we are redirected to another page:
Here we can see what would be the first vulnerability found, an LFI in
guest file did not give us much information, so I went after other files:
Now, from this code, we have already been able to go to other files that were not in our view.
function.php file, it is good to point out some things that are being done: we have two types of filters blocking some words, like
ffffllllaaaaggg, so we can not access these files by lfi casual.
Doing small tests to see if we get anything, we had a good answer in the
We find a hint that we already know exists.
Well, we’ve got everything we wanted right now, we need to move up the search and find a bypass to access files that were blocked at first.
The filter of the url is being done with the help of the
parse_str function, but this function has a weakness, when we add more (
/) bars in the url, we are able to make the function parsing correct and therefore does not read the entire url:
We found another file that was not in our view, looking for it in lfi and seeing its contents, we see that it is doing the
include of a template. So this means that the file is something that can be manipulated by the user.
Entering the page, we have a form to send files.
Checking the code that we had already obtained, I did not see any entries for files, so I opened the source and found the
By doing a little analysis in the code, we were able to highlight two things for the bypass:
1.It is using the
system function with a concatenation without filters, this gives us the possibility of a RCE.
2.It is checking the extension of our file, so we need a way to send an extension.
The easiest way I thought of bypassing was by using a
# comment and passing the extension right after:
After a few attempts looking at all these files listed, I thought maybe the flag was in the database, so I went behind the contents of the
I used the
mysql credentials of the
config.php file to log into
mysql and dumped the contents of the database.
I found many users and nothing flag, so I thought the obvious, look for the flag in the system.
We find the flag
So I came across that we could not use
But it does not matter, we can use