search

Free Flag

index.php
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Free Flag</title>
</head>
<body>
    
<?php


function isRateLimited($limitTime = 1) {
    $ipAddress=$_SERVER['REMOTE_ADDR'];
    $filename = sys_get_temp_dir() . "/rate_limit_" . md5($ipAddress);
    $lastRequestTime = @file_get_contents($filename);
    
    if ($lastRequestTime !== false && (time() - $lastRequestTime) < $limitTime) {
        return true;
    }

    file_put_contents($filename, time());
    return false;
}


    if(isset($_POST['file']))
    {
        if(isRateLimited())
        {
            die("Limited 1 req per second");
        }
        $file = $_POST['file'];
        if(substr(file_get_contents($file),0,5) !== "<?php" && substr(file_get_contents($file),0,5) !== "<html") # i will let you only read my source haha
        {
            die("catched");
        }
        else
        {
            echo file_get_contents($file);
        }
    }

?>
</body>
</html>

hashtag
Reading the source code

When reading the source code, simply, the application takes a POST value from the request and apply the file_get_contents function on it.

after that it compares the first 5 chars if it contains <?php or <html. If yes then the content will get printed or else we get catched

hashtag
Analyzing

file_get_contents accepts URI if the allow_url_fopen option is allowed which is default. which means we can use php:// and other protocols such as data://.

For demonstration :

Screenshot (186)

As you can see, it gets refelected in our page, however this isn't very helpful, we need to read the flag at /flag.txt but it musts start with <?php or <html so how is this possible?

If we do a quick search add prefix file_get_contents, we can find an interesting blog that talks about the wrapwrap tool : Blogarrow-up-right

Screenshot (187)

So this tool simply automate the process of using the convert.iconv and base64 filters to add prefix to our data in file_get_contents, this exploit is called PHP filter chain, you can read more about it in these links :

gynvaelarrow-up-right synack ticarrow-up-right

But the last version of the tool seems corrupted i used this commit and it works fine :

wrapwraparrow-up-right

hashtag
Exploitation

Using the command:

Will produce :

Screenshot (188)

And we get the flag :

Screenshot (189)

~ Easy peasy lemon squeezy :)

PreviousBHMEA24 QualsNextNotey

Last updated