Advent of CTF - Challenge 10

“Include”

Challenge

The challenge today is to get the flag that is in flag.php. Today you will learn:

  • Local File Inclusions in PHP
  • Rainbow tables

Solution

When files are included things can get real messy. The flag is in flag.php.

The key to Local File Inclusions, LFI, is that you trick a program to include a file that is not included under normal circumstances. This challenge revolves around this concept. The challenge starts with an somewhat empty page.

santa-book.png
Figure 1: The start page of the challenge

The challenge said that the flag is in flag.php. Go to the url /flag.php to see if it is available.

flag-php.png
Figure 2: The content of flag.php

The hint on the page is that we as a user need to get promoted. There is no other clue as to what to do next. Browsing the DevTools (F12) will show that there is a cookie called zeroten. The contents is an URL encoded Base64. Decoding it yields a Base64 encode JSON structure, note the eyJ.

eyJwYWdlIjoibWFpbiIsInJvbGUiOiIxMmRlYTk2ZmVjMjA1OTM1NjZhYjc1NjkyYzk5NDk1OTY4Mz NhZGM5In0=

Decoding the value will show a JSON structure with the keys page and role. The role is encoded. As the hint said it was an include challenge the reasonable thing to do is to change page from main to flag, assuming it will add the .php to it. 

{"page":"main","role":"12dea96fec20593566ab75692c9949596833adc9"}

Change the value in the JSON structure and then Base64 encode it again. 

{"page":"flag","role":"12dea96fec20593566ab75692c9949596833adc9"}

This does indeed include the flag.php into the main page, however it still shows that the user needs to get promoted.

flag-but-not-yet.png
Figure 3: The flag.php has been included.

The rabbit hole in this challenge is that a seasoned tester might consider type juggling in the PHP language for the hash comparison. This is not the case in this challenge. The hash has to be replaced with something reasonable.

Looking up the value on hashes.com will reveal that this hash is actually the sha1 of the word user. The hash type can be identified by using the hash identifier. Looking up a hash in a list is called a rainbow table, a precomputed list of words and their hashes that you can search without needing to hash it yourself.

hashes-com.png
Figure 4: The result of lookup on hashes.com

Using CyberChef the value of admin can be passed through the sha1 encoder. This will result in d033e22ae348aeb5660fc2140aec35850c4da997 as a value. Add the value to the JSON structure. 

{"page":"flag","role":"d033e22ae348aeb5660fc2140aec35850c4da997"}

Encoding this structure into Base64 and adding it in the DevTools (F12) will reveal the flag after reloading the webpage.

flag.png
Figure 5: The flag

Go grab the points and make sure to also share your badge on social media!

badge.png
Figure 6: The badge

Go back to the homepage.