HackDatKiwiCTF 2015 - KiwiForum 1
Category: writeupsTags: web kiwictf-2015
KiwiForum 1
Web - 120 Points
A full fledged Kiwi software! And a forum at that. It’s also open source. [source link] The admins on this forum are so proud of their product, they have put their flag keys on their avatar photos!
Writeup
We have the source code of a simple php forum.
When we visit the forum, the user’s avatar don’t load and the admin avatar can’t load because is very big (7200*7800 BMP image!).
Reading the source we can see that the admin avatar is Random-generated and then scaled 200 times.
The admin avatar loading is then slowed down for normal user (except for admin)
This avatar is available in db/ folder, with name 00001.bmp
We need to see the admin’s avatar!
No SQLi, no XSS. But my attention was focused on the loader.php file.
<?php #loader.php
function do404()
{
header("404 Not Found");
echo "<h1>404 Not Found</h1>";
echo "<p>The requested URL ".htmlspecialchars($_SERVER['REQUEST_URI'])." not found.";
exit(0);
}
$request=$_GET['__r'];
unset($_GET['__r']);
$parts=explode("/",$request);
if ($parts[count($parts)-1]=="")
$parts[count($parts)]="index";
$file=realpath(__DIR__."/static/".implode("/",$parts));
if ($file and is_file($file))
{
if (!$file) do404();
require_once __DIR__."/lib/download.php";
$x=new \jf\DownloadManager();
$x->Feed($file);
}
else
{
$file=realpath(__DIR__."/app/".implode("/",$parts).".php");
if (!$file) do404();
require_once __DIR__."/load.php";
require $file;
}
NICE! We can use the __r
parameter for a Path Traversal Attack.
Now we can dowload the admin avatar with loader.php?__r=../db/00001.bmp
OT: Loading loader.php?__r=app/avatar.php
will create our user’s avatar ;)
Flag: 8e1be4281a54da04