Kiran Ghimire feigned ignorance and said he had no idea what the flag was.
7/10
PCTF{Kiran_SAU_Manifested}
CVE
Kiran Ghimire (sau)
- Try to access the path
/challenge.php, we are restricted to access the page. - The following configuration is found in the
.htaccessfile:
<Files "challenge.php">
AuthType Basic
AuthName "Admin Panel"
AuthUserFile "/etc/apache2/.htpasswd"
Require valid-user
</Files>
-
When Files directive is used to restrict a single file, it can be bypassed directly under the default PHP-FPM installation. More information can be foud here: https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1#%E2%9A%94%EF%B8%8F-Primitive-1-2-ACL-Bypass
-
We can simply bypass the authentication by appending the URL-encoded '?' character (%3F) to the end of the PHP file extension. Ensure to put
.phpafter the?character. Bypassed:http://127.0.0.1:8090/challenge.php%3Fa.php -
If we can make the
$ccvariable false within the run function, then we can control the$urlvariable and read the flag executed by the system command. -
YAML treats
NOasfalse. So, we can set the value of$ccto NO by passing the value of the country parameter as Norway. Read more aboutThe Norway Problemhere: https://hitchdev.com/strictyaml/why/implicit-typing-removed/
Final Payload to read the flag:
http://127.0.0.1:8090/challenge.php%3Fa.php?country=Norway&url=-o /var/www/html/flag.txt file:///get-here/flag.txt
http://127.0.0.1:8090/flag.txt
Getting the flag from the get-here directory and writing it to the user-reachable directory.