Thursday, October 25, 2012

Hack.Lu CTF: Spambot Writeup

This challenge give you a link to a place where you can enter a URL and the site will send a message to the URL you give it. The Spambot will then load the page, figure out what fields there are, and try to write data to the page. The Spambot will also solve simple spam protection (like math). This turns out to be the downfall of the Spambot.

Once we saw that it solves the math, we wondered how it did this. The easiest way for the server to do it would be to just call eval() on whatever is between the html tags. So we added something after the math in the spam protection field.
1+1+1;echo 'bob';
When we entered the URL of our hosted page, the Spambot executed our code and printed the result of 1+1+1 to the screen as well as the word bob. At this point, we know that we have arbitrary php code execution on the server, so we start doing directory listings. And eventually find an interesting file in the root directory. If you put the following line into the spam protection input field of your page and tell the Spambot to load the program, you win!
Spam protection: 1+1+1;$handle = opendir('/');while (false !== ($entry = readdir($handle))) {echo "$entry";echo shell_exec('cat /6f170bcecda1ca8d3a5435591202988881b34bad');}
-- suntzu_II

No comments:

Post a Comment