Saturday, March 31, 2018

CoinGame 200 Writeup - Nuit Du Hack CTF 2018


Hey there, here is my writeup for a frustrating and easy challenge at the same time during the 'Nuit Du Hack Qualification CTF of 2018'.

Some Information:



  • CTF Contest: Nuit du hack qualification CTF 2018.
  • Challenge Name: CoinGame.
  • Challenge Category: Web.
  • Challenge Difficulty: Easy.
  • Challenge Points: 200 PTS.

Solution:

The challenge web page have just a form that fetch the given input through PHP cURL:

When we give it a page to fetch the request goes like that:
http://coingame.challs.malice.fr/curl.php?way=https://www.taharamine.me/

After trying a couple of tricks I've found that it looks like an LFI Vulnerability (Local File Inclusion) it simply means the ability of reading local system (webserver) files!

After requesting lot of local system files I didn't see any flag which means I am not doing well! I am a Penetration Tester and not a CTFer, I started thinking if I am wrong and If I should go through a methodology like we do in a pentest usually! I did a step back and went to the website and browsed it slowly to see if I missed something, and Yes I did! The message on the footer was: "DESIGNED BY TOTHEYELLOWMOON", so I decided to Google a little bit with a hope to find something useful!

I just found this Github repository: https://github.com/totheyellowmoon/CoinGame
By reading the description of that repo on github I get to see this message: "Congrats it was the first step ! Welcome on my Github, this is my new game but I haven't pushed the modifications ..." It basically means that I am on the right path!

I did a step back to the first trick I used through the 'file:///etc/passwd' I remembered that there was a TFTP running! Googled a little bit and found a good StackExchange article that say it is an SSRF and not an LFI. Hmmm, weird! I don't need to decide if it is an LFI or an SSRF I just need to Capture The Flag :-P


I played a little bit with the 'tftp://' trick and requested the following request: http://coingame.challs.malice.fr/curl.php?way=tftp://127.0.0.1/README.md
I was able to read the local file of the repository again!

So, let me think in a smart way since TFTP was the right path I started downloading the original repository from Github to do a little trick to see the difference between the repo that I have and the repo that they are using in the challenge by downloading both the github repo and challenge repo through TFTP.

By running a small difference check, some pictures was not the same (different) and I started getting that feeling that I've found the flag :-3 The flag was printed out on the picture, and finally challenge solved ^_^ Honestly, I took more than 4 hours because I simply overthink stuff and simply I mix stuff! 

Flag: flag{_Rends_L'Arg3nt_!}

2 comments:

  1. how you download using tftp? i use filename from github repository and download the file using file://home/CoinGame/$x

    ReplyDelete
    Replies
    1. Your trick was easier but it takes time to get all files!

      Delete