Poison for tomorrow


You did it! Everything blew up. Joe is dead, the remaining Warboys ran off. Luckily the anti-apocalypse machine is unharmed. As you walk closer to the machine you see it is counting down from 999 years. Joe programmed it to delay the end of the apocalypse as much as possible. Find a way to reprogram the machine, otherwise, the apocalypse will stay for a long time.


  • Author: Pepe
  • Difficulty: medium


I did not managed to solve this challenge in the challenge time period, and needed a nudge from Pepe after the challenge ended to be able to solve this one.


After doing some initial scanning with nmap and skipfish this is what I’ve found.

ls -la
-rw-r--r--  1 kali kali    142 Feb 27 20:24 solve.txt

cat solve.txt
Ports open:
22 ssh
80 http
443 https


Nothing to see here right? Right. So anyway, I started playing with the Countdown clock. image

Needless to say, I got to nowhere with that, and didn’t managed to solve the challenge.

After the challenge was over I got the hint, that I may want to look into Log Poisoning. About the first search with google returned the answer, LFI to RCE vulnerability. With this knowledge it was easy to put together a python script, that did the following:

  • Send a request to countdown.html with a PHP injected User-Agent, our good old PHP one-liner friend will do here too: <?php foreach(scandir(".") as $file) echo $file."<br>"; ?>
  • View /var/log/apache2/access.log to see the leaked folder
  • Look for the flag at https://poison-for-tomorrow.secchallenge.crysys.hu/index.php?page=/var/www/html/very_secret_hidden_folder_N0P3/flag

… goddammit, the challenge won here, initially.

The acquired flag is:


← Back to SecChallenge21

all tags