WOWHacker CTF – Web Hacking Challenge

Challenge 8 (not accessible atm) is the only web hacking challenge in WOWHacker’s CTF. In hindsight it’s not very difficult, but in fact it took us almost 1 day to solve it.

This is a classic PHP local file inclusion attack. If you set the parameter ty and the cookie **71860c77c6745379b0d44304d66b6a13 **to the same file name, the vulnerable PHP script in challenge 8 would try to include that file. Here’s what the code looks like:

$ty = $_GET["ty"];
$page = $_COOKIE["71860c77c6745379b0d44304d66b6a13"];
if ($ty != $page)
{
    echo "Error!";
}
else
{
    if (include($ty) != 'OK')
    {
        echo "Can't find that page!";
    }
}

Update: gamma95 has just noticed me this challenge may not be a PHP local file inclusion attack. Maybe it’s just a vulnerable readfile call like this:

$ty = $_GET["ty"];
$page = $_COOKIE["71860c77c6745379b0d44304d66b6a13"];
if ($ty != $page)
{
    echo "Error!";
}
else
{
    if (file_exists($ty))
    {
        readfile($ty);
    }
    else
    {
        echo "Can't find that page!";
    }
}

For vulnerable scripts like this, the trick is to include files in known location which may contain important information, i.e. Apache httpd’s error_log or access_log. As we knew this is a Windows machine, we tried to test our theory by including *C:Windowssystem32driversetchosts *which worked as expected. At this point, we thought we were just moments away from the solution of this challenge, but in fact we were totally stuck for the next several hours.

We went on to guess the location of Apache httpd’s log files. We sent hundreds of requests, but none worked. I even downloaded and installed a copy of Apache httpd to understand its directory structure but still no luck. Why it didn’t work???

Like challenge 1, it wasn’t until we almost gave up on this challenge, we realized the simple fact: we always thought that the web server was Apache httpd while it was IIS actually! Years of abandoning Windows has brainwashed us! What a shame!

The next steps are simple. The default IIS installation would store log files in C:WINDOWSsystem32LogFilesW3SVC1exYYMMDD.log. As the premilinary round started on 2009.08.14, we guess we should include C:WINDOWSsystem32LogFilesW3SVC1ex090814.log which in turn reveals this secret script:

/tmxhffjsqkdlxmwhaWkddlsemt/answpsorltlagkrpglaemfdjttmqslek/rmfoehrufrnrdpsvntutspdy.php

This script asks for a username and password which gamma95 had bypassed it using a trivial SQL injection attack even before I figured out what I should do next. After bypassing the authentication, we obtained the flag which is: Do you know StolenByte???

No we don’t know him, but thanks for a nice challenge!

Hack.lu CTF 2011: Nebula Death Stick Services writeup (Categories: CTF - CLGT Crew)
#7th at CSAW CTF (Categories: CTF - CLGT Crew)
hack.lu CTF 2011 nebula DB systems (Categories: CTF - CLGT Crew)
#4th at hack.lu CTF (Categories: CTF - CLGT Crew)
DEFCON 19 CTF Quals: writeups collection (Categories: CTF - CLGT Crew)
Padocon 2011 CTF Karma 400 exploit: the data re-use way (Categories: CTF - CLGT Crew)

« WOWHacker CTF – Crypto Challenges ISEC 2009 CTF Prequal – Challenge 03 »

ORC Team

WOWHacker CTF – Web Hacking Challenge

Related Posts