0CTF 2015 - Golden Mac 1 (web 300)
In the description and task title, it states that the developer uses a Mac Book Pro. So we looked for the
.DS_Store in the application root directory and found one whose contents we can read with this simple python script:
from ds_store import DSStore with DSStore.open('DS_Store', 'r+') as d: for i in d: print i
<index.php Iloc> <parse.class.php Iloc> <u_can_not_guess_this_haha.php Iloc>
It seems the flag is in
u_can_not_guess_this_haha.php but the page renders an empty page. Probably flag is in the code.
The site lets us upload an image and a document. There is no control of the file type nor the extension for the image so we can upload any file to
/uploads but that doesnt turn out to be very useful.
We can also upload profile descriptions in
docx format which is basically a bunch of XML docs zipped. It turns out the application process the XML files without disabling external entities and so its vulnerable to XXE. We prepared a specially crafted docx document to retrieve the
u_can_not_guess_this_haha.php file in base64 format (so we have no problems with
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE document [<!ENTITY xxx SYSTEM "php://filter/read=convert.base64-encode/resource=u_can_not_guess_this_haha.php">]> <w:document> ... </w:document>