Advent of CTF - Challenge 11

“Filter”

Challenge

Building on the previous challenge this adds a layer of complexity due to filtering and the use of multiple elements to achieve an exfiltration.

In this challenge you will learn:

How to detect filtering
How to use php://filter

Solution

Santa’s book of secrets has upgraded its security. All should be fine now.

The challenge starts with the same page as in Challenge 10. As the description says that the security has been upgraded, it is fair to assume it is the same type of challenge, only with some added security features.

Direct access to flag.php leads to the text Direct access not permitted. This means that this time it is not possible to get the flag from this page directly.

As with the previous challenge, there is a cookie for zerooneone.

Listing 1: The encoded cookie

eyJwYXRoIjoiLiIsInBhZ2UiOiJtYWluIn0=

As with almost all previous challenges a Base64 encoded string, a JSON structure, is stored in the cookie. Decoding it reveals 2 keys; path and page. The current values are ., for the current directory and main for the main.php page.

Listing 2: The decoded cookie

{"path":".", "page":"main" }

The first thing to try is to change the page value to flag. This should include the flag.php file that is there according to the description.

Listing 3: Use the flag as a page

{"path":".", "page":"flag" }

This, however, results in an error message. The message at the end of the line is no direct access, so apparently the file is there, but direct access to it is not allowed.

Playing around with this payload might make you try to change the path. When you use more then 1 . the path will also throw an error.

Listing 4: Include using many dots

{"path":"../../../../../../", "page":"/etc/passwd" }

The error message is displayed just like the previous one. So, the flag can not be retrieved directly and navigating the file system also seems to not work.

Investigating ways to do a file inclusion in PHP will eventually bring you to extracting data using php://filter. This is part of PHP Wrappers. It basically allows you to filter resources through a conversion tool, such as convert.base64-encode. This seems like a great opportunity.

Listing 5: Using PHP filters

{"path":".", "page":"php://filter/convert.base64-encode/resource=flag" }

It ends in an error message however. The error message says it is due to blacklist.

So, some words that are used are part of a blacklist. This means that part of the thing that was in the payload was not allowed to be there. Playing with this you will find that the word filter is not allowed in the page value. Similar in the path the word base is not allowed.

Thinking this challenge over the usage of the 2 parts of the JSON structure can be assumed to be something as in the below listing.

Listing 6: Usage of JSON data

include($data["path"] . "/" . $data["page"] . ".php");

Using this knowledge and the insight as to what is allowed in both parts the PHP wrapper can be created as a 2 part string. The first part, with filter, in the path and the second part, with the convert.base64-encode, in the page.

Listing 7: The final payload

{"path":"php://filter", "page":"convert.base64-encode/resource=flag" }

The payload will result in a big blob of Base64 text to be presented on the page.

Decoding the blob of text will show the contents of flag.php. The flag can be retrieved from the code.

Be sure to grab your points and the badge.

Go back to the homepage.