Skip to content

vvxhid/The_prophet_TetCTF2020-WEB-

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
scr
scr
 
 
README.md
README.md
 
 
the_prophet.py
the_prophet.py
 
 

Repository files navigation

The prophet TetCTF 2020 WEB

This is a write up for the prophet web challenge from TetCTF 2020, a nice challenge and it was very fun

challenge

Write-up

For this challenge, when you access the web site for the first time, you notice a link Read some oracle here, when you click on it, it takes to new route http://45.77.245.232:7004/read/oracle/4.txt and when you keep clicking on here, it keeps changing the file randomly until this nice hint showed up.

challenge

then I tried to change the text file name to flag.txt and oops!

challenge

you can easily notice the shell prompt icon and when you click it asks you for pin code!

shell

challenge

it was an obvious LFI on route /read/oracle/ so i give it a famous test /read/oracle/../../../../../../../etc/passwd aannd OOPS here we go again! I found another bug!

challenge

I tried to read the app source code using the LFI bug, it's just a code that serves the files randomly

challenge

the debugger that they are using is named: Werkzeug, so we take a look on its code on GitHub and we found the function that gets the code pin.

challenge

We took another look at the function get_pin_and_cookie_name that gets the pin and cookie name, it's job is described very well in its documentation.

challenge

after reading and understanding the function above, we end up writing a script to generate the pin code, and to generate it we need this data:

  • username
  • modname
  • getattr(app, 'name', getattr(app.class, 'name'))
  • getattr(mod, 'file', None)
  • str(uuid.getnode()),
  • get_machine_id(),

we get the username from /etc/password: web3_user

modname from debugger error: flask.app

getattr(app, 'name', getattr(app.class, 'name')) from the app source code: Flask

getattr(mod, 'file', None) from debugger error: /usr/local/lib/python3.5/dist-packages/flask/app.py

challenge

str(uuid.getnode()) the address mac of the network interface: 56:00:02:7a:23:ac

we get the network interfaces using LFI: ens3

challenge

then we get the mac address: 56:00:02:7a:23:ac

challenge

and convert it to the decimal value:

challenge

we get the machine id using LFI: /etc/machine-id

challenge

now we have the data to generate our code pin:

challenge

and here we go, code pin generated successfully:

challenge

we enter our code and pin:

challenge

we get our python interpreter shell prompt:

challenge

and we get our flag using LFI:

challenge

we learned a lot from this challenge and we had a lot of fun, a nice experience!

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages