Camp CTF 2015 – Voodoo


CTF: Camp CTF 2015
Title: Voodoo
Category: Web
Points: 250
you might need some voodoo powers to pwn this box


Screen Shot 2015-08-17 at 22.10.04

The service is a form that allows users to create files on the server. For instance, if I create a file with the file name “foo”, the title “Bar” and the content “Hello world”, a new file will be created:

We then decided to inject some PHP code. First we need to change the title by foo.php in order to have the file being parsed. Then we tried to used the PHP tags in the content, but unfortunately, the content is sanitized.

We sent a list a special characters in order to identify which are being striped/encoded. The following characters are stripped, and the rest is HTML encoded:

However, we found out that the title is not sanitized Unfortunately, we can put only 8 characters. In order to optimise the content, we decided to use the condensed tag, i.e. <?= .

Then we had to find a solution to escape the </h1> <br/> <br/>  located between the end of the title and the content. For this, we used the heredoc syntax. We now have <?=<<<S (7 characters), then we used BurpSuite to add the %0A character (LF), which create a new line after S.

Which means the final file contains now:

Now, we just needed to close the string with the closing identified then start using PHP code. The problem is that the parentheses are stripped. Therefore, we have to use language constructs instead. Good news, include is a special language construct.

We therefore decided to enter the following for the content:

Here is the final request:

Now that we have a page that let us control an include, we could start reading file such as /etc/passwd:

We could also use php://filter to read the content of the index file:

We also read the following files:

  •  /etc/apache2/apache2.conf
  •  /etc/apache2/sites-available/000-default.conf

But in the end, we couldn’t find the flag, so if you know what’s next, please let us know in the comment!


3 thoughts on “Camp CTF 2015 – Voodoo

  1. The flag was in the /THE_FLAG_IS_HERE file.

    You had to make RCE from LFI for example by uploading a new base64-encoded file and then use base64-decode filter.

Leave a Reply

Your email address will not be published. Required fields are marked *