2024 BlackHat MEA CTF Qualification - free flag
Overview
- 110 points
- easy
Description
Free Free
Attached
This is index.php file
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Free Flag</title>
</head>
<body>
<?php
function isRateLimited($limitTime = 1) {
$ipAddress=$_SERVER['REMOTE_ADDR'];
$filename = sys_get_temp_dir() . "/rate_limit_" . md5($ipAddress);
$lastRequestTime = @file_get_contents($filename);
if ($lastRequestTime !== false && (time() - $lastRequestTime) < $limitTime) {
return true;
}
file_put_contents($filename, time());
return false;
}
if(isset($_POST['file']))
{
if(isRateLimited())
{
die("Limited 1 req per second");
}
$file = $_POST['file'];
if(substr(file_get_contents($file),0,5) !== "<?php" && substr(file_get_contents($file),0,5) !== "<html") # i will let you only read my source haha
{
die("catched");
}
else
{
echo file_get_contents($file);
}
}
?>
</body>
</html>
Analyzation
Flag is in /flag.txt, so we must find way to read it.
Check this block of code
$file = $_POST['file'];
if(substr(file_get_contents($file),0,5) !== "<?php" && substr(file_get_contents($file),0,5) !== "<html") # i will let you only read my source haha
{
die("catched");
}
else
{
echo file_get_contents($file);
}
So if we can pass value /flag.txt into $file, we can read flag.
But $file must start with <?php or <html in order to pass the filter. Hmmm… What if we can wrap /flag.txt with <?php?
Solution
wrapwrap can do it for us. Source code can be found here.
Use this command to generate file
python3 wrapwrap.py /flag.txt "<?php " '' 100
and then upload it. The flag is yours.
Guide to install wrapwrap
- First, download wrapwrap.py.
- Second, clone ten module as mentioned in
wrapwrap.py. - Third, use
pip3to install the required modules forten.pip3 install rich colorama bs4 requests_toolbeltNow you can use
wrapwrap. Generated file for this challenge is chain.txt.