Cool CTF, finished top 10 so I'm happy with that. Again it began mid week for me but I got sick with a virus so had to stay home anyway. What better to do than to CTF until I feel better?
Great challenge this one but I'm seeing a lot of people were doing strange things to the poor 3rd party involved in their writeups, like nmap scanning etc. None of that was necessary.
Here's the clue:
So another PHP challenge I suppose, we browse on over and then append "s" on the URL to give us:
Which coughs up the source code for us:
Ok so the ONLY acceptable IPs are very specifically in the 220.127.116.11 - 18.104.22.168 range. What's special about that? We ask NSLookup to reverse lookup this IP:
Runnable.com? Let's check these guys out...
Ok so online sandboxes we can run code in. Great, but I'm on a deadline here... Oh whats this:
I don't know, Am I?
I click that link (http://code.runnable.com/) and I'm taken to the meat of their site, a list of code snippets we can run for various reasons. I pick one at random and am greeted with a surprise. Each code snippet gets a kind of web-based terminal to interact with:
The terminal is furnished with useful tools as well, namely "curl":
So i feel we have the vector now, we just need to pass all the other checks. Re-examining the source we need to:
- Query must be post, fine we can use -d in curl for that
- Query must contain the admin parameter, fine
- Admin parameter must be 256 bytes long, fine ok
- Each byte of the admin parameter value must equal the value of it's index in the string, er ok? Many of those characters wont be printable, we'll need to handle that
So I turn to Python and here's the source I come up with:
Which gives me the following output:
Which I copy and paste into the Runnable.com web terminal:
Voila, our flag: