21st January 2021
Write-up Advent of CTF challenge 22

Write-Up Advent of CTF 22

The NOVI University Of Applied Sciences is offering an Advent CTF challenge for December 2020. The CTF is created by our community member of the Hackdewereld.nl and Chief Lecturer for Cyber Security at the NOVI University, Arjen Wiersma. If you want to participate in these CTF challenges, you can create an account on the website https://www.adventofctf.com/.

Challenge 22

  • Description: We have a new service! You can view santa’s favorite pictures. Currently there is only one, but it is a very good one! You can get the flag through flag.php.
  • 2200 Points

Well, Santa got a new service! Viewing Santa’s favorite pictures, let’s check what’s his favorite picture. We visit the challenge URL https://22.adventofctf.com. We are ending up on this web page.

Advent of CTF Challenge 22 Start Page
Advent of CTF Challenge 22 Start Page

We are have only a URL with the name Is this santa? Let’s check!

Is This santa?

Haha, Santa is adorable. For now, we’ve had enough fun, we need to complete this challenge. According to the URL, we can see te image parameter. This parameter is including the file image cat.jpg. From the previous challenge, we have some experience with file inclusion. We need to keep this in mind, it can be useful. Let’s start this easy by checking the source code. We can see that the image is not a standard URL, but a data URL.

<img src="data:image/jpeg:base64,(base64 string)
Advent of CTF Challenge 22 source code
Source Code

From the description of this challenge, we know that the flag is in flag.php. Let’s try to include the flag in the image parameter. We are ending up with this URL: https://22.adventofctf.com/index.php?image=flag.php.

Advent of CTF Challenge 22 flag
No flag (yet)

Unfortunately the flag is not yet visible. More is needed to read the flag. We can see that there is sort of a file included in our request. When we are reading the source code, we can notice that there is again a data URL visible with a base64 encoded string.

After decoding this string, it’s revealing his contents.

<?php

include("secret.php");
 if (strpos(check_secret(), "allow") !== false) {
    echo get_flag(); 
 }

?>

From this file, we can see that the flag is protected by the file secrets.php. But, we are not allowed to include this file. If we try to include this file, we got redirected to the index.php. So, we need to find a way to get around this protection. If we try a path traversal attack to get the flag with this URL https://22.adventofctf.com/index.php?image=../flag.php, the website is returning the error message: Warning: file_get_contents(../flag.php): failed to open stream: No such file or directory in /var/www/html/index.php on line 46.

Advent of CTF get_file_contents error message
file_get_contents error message

This message is an interesting one. It tries to include a file, but it’s not finding the file. This makes sense, because flag.php is probably in the current directory and not in a directory deeper. We are not authorized to call secrets.php directly. Let’s see if we can play a bit with the URL parameter image and if we can read the file secrets.php in a different way. After trying several URLs for a while I come up with the following payload for reading secrets.php: https://22.adventofctf.com/index.php?image=http://127.0.0.1/flag.php.

Through the source code, I can see this data URL:

 data:image/jpeg;base64,Tk9WSXthc2tpbmdfZm9yX2FfZnJpZW5kfQ==

After decoding the base64 string, we get the flag!

~$ echo "Tk9WSXthc2tpbmdfZm9yX2FfZnJpZW5kfQ==" | base64 -d
NOVI{asking_for_a_friend 

Thanks for reading!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *