• CoinGame 200 Writeup - Nuit Du Hack CTF 2018


    Hey there, here is my writeup for a frustrating and easy challenge at the same time during the 'Nuit Du Hack Qualification CTF of 2018'.

    Some Information:



    • CTF Contest: Nuit du hack qualification CTF 2018.
    • Challenge Name: CoinGame.
    • Challenge Category: Web.
    • Challenge Difficulty: Easy.
    • Challenge Points: 200 PTS.

    Solution:

    The challenge web page have just a form that fetch the given input through PHP cURL:

    When we give it a page to fetch the request goes like that:
    http://coingame.challs.malice.fr/curl.php?way=https://www.taharamine.me/

    After trying a couple of tricks I've found that it looks like an LFI Vulnerability (Local File Inclusion) it simply means the ability of reading local system (webserver) files!

     After requesting lot of local system files I didn't see any flag which means I am not doing well! I am a Penetration Tester and not a CTFer, I started thinking if I am wrong and If I should go through a methodology like we do in a pentest usually! I did a step back and went to the website and browsed it slowly to see if I missed something, and Yes I did! The message on the footer was: "DESIGNED BY TOTHEYELLOWMOON", so I decided to Google a little bit with a hope to find something useful!

     I just found this Github repository: https://github.com/totheyellowmoon/CoinGame
    By reading the description of that repo on github I get to see this message: "Congrats it was the first step ! Welcome on my Github, this is my new game but I haven't pushed the modifications ..." It basically means that I am on the right path!

     I did a step back to the first trick I used through the 'file:///etc/passwd' I remembered that there was a TFTP running! Googled a little bit and found a good StackExchange article that say it is an SSRF and not an LFI. Hmmm, weird! I don't need to decide if it is an LFI or an SSRF I just need to Capture The Flag :-P
    I played a little bit with the 'tftp://' trick and requested the following request: http://coingame.challs.malice.fr/curl.php?way=tftp://127.0.0.1/README.md
    I was able to read the local file of the repository again!

    So, let me think in a smart way since TFTP was the right path I started downloading the original repository from Github to do a little trick to see the difference between the repo that I have and the repo that they are using in the challenge by downloading both the github repo and challenge repo through TFTP.

    By running a small difference check, some pictures was not the same (different) and I started getting that feeling that I've found the flag :-3 The flag was printed out on the picture, and finally challenge solved ^_^ Honestly, I took more than 4 hours because I simply overthink stuff and simply I mix stuff! 
    Flag: flag{_Rends_L'Arg3nt_!}

    • 2 comments:

    1. Abdillah HasnyApril 1, 2018 at 1:50 AM

      how you download using tftp? i use filename from github repository and download the file using file://home/CoinGame/$x

      ReplyDelete
      Replies
      1. MrTaharAmineApril 1, 2018 at 1:57 AM

        Your trick was easier but it takes time to get all files!

        Delete

    In case you want to check my experience and achievements!

    Make sure to visit my LinkedIn profile and send a connection request.

    LinkedIn

    Get In Touch

    EMAIL
    TELEPHONE
    Copyright © 2020 Tahar Amine . Designed By MrTaharAmine.
    Made With