WPICTF Web WP

W

👉😎👉

This challege confused me for a long time. Firstly, we can find some JavaScript source code in /static/zoop.js:

// ATTENTION: READING THIS SOURCE CODE MAY NOT ONLY BURN YOUR EYES, IT IS IN VIOLATION OF OFFICIAL ZOOP CORP(TM) LTD. LLC OMGWTFBBQ POLICIES
$(document).ready(() => {
	$('#send').click(() => {
		$('#send-indicator').css('visibility', 'visible');
		$('#send-indicator').css('opacity', 1);
		$('#big-textbox').attr('disabled', true);
		$('#attach').attr('disabled', true);
	});

	$('#attach').click(() => {
		$('#file-url').val('');
		$('#attach-confirm').attr('disabled', true);
		$('#preview').attr('disabled', true);
		$('#attach-modal').modal('show');
	});

	$('#preview').click(() => {
		const fileUrl = $('#file-url').val();
		if (fileUrl.length === 0) {
			return;
		}

		$.get('/preview', {url: fileUrl}, (data) => {
			$('#preview-area').css('color', 'black');
			$('#preview-area').text(data);
		}).fail(() => {
			$('#preview-area').text("Error getting preview. Please try again later");
			$('#preview-area').css('color', 'red');
		});
	});

	$('#file-url').on('input', () => {
		const url = $('#file-url').val();
		$('#attach-confirm').attr('disabled', url.length == 0);
		$('#preview').attr('disabled', url.length == 0);
	});

	$('#attach-confirm').click(() => {
		$('#attach').attr('disabled', true);
		$('#attach-confirm').attr('disabled', true);
		const fileUrl = $('#file-url').text();
		$.post('/attach', {url: fileUrl});
		$('#attach-modal').modal('hide');
	});
});

The code shows us that the send email is totally a swindle, nobody will receive and of course so do we. My second thought was SSRF in preview page. Unfortunately whatever I tried with file://, http://localhost or even just index.html, the response of the server is always 400 o(╥﹏╥)o, so what else have I neglected?

Take another look to the attach page, I found a strange URL : http://storage.zoop/some_file.txt, so I make a try and it returns the XML of files in server surprisingly. Wow, amazing! According to the information of XML file, we know the flag in flag.txt and just read it:

dorsia2

The task is a HTTP server written in C, and the source code shown in the video:

#include <stdio.h>
#include <stdlib.h>
void main(){
        char a[69] = {0};
        scanf("GET /%s", &amp;a);
        printf("HTTP 200 \r\n\r\n");
        fflush(stdout);
        execlp("cat", &amp;a, &amp;a, 0);
}

The function named execlp can be regarded as same as system() in python just add a few more parameters. So this task allowed us to read any file in server and the description tell us flag in ~/flag.txt.

Firstly, I read ~/flag.txt directly and got nothing. After a short thinking I realized maybe because of the creation of the process is not the flag hloder. So next I read the file /etc/passwd to assure the username, and here is the response:

We can see clearly that the last user named ctf might be have the flag. Try to read his home /home/ctf/flag.txt, and we get the flag.

autograder

A C complier, and the task description tell us flag in /home/ctf/flag.txt, so we can include the flag directly. Payload:

#include "/home/ctf/flag.txt"

Same point as this.

Imagin 丨 京ICP备18018700号-1


Your sidebar area is currently empty. Hurry up and add some widgets.