Poison for tomorrow
You did it! Everything blew up. Joe is dead, the remaining Warboys ran off. Luckily the anti-apocalypse machine is unharmed. As you walk closer to the machine you see it is counting down from 999 years. Joe programmed it to delay the end of the apocalypse as much as possible. Find a way to reprogram the machine, otherwise, the apocalypse will stay for a long time.
- Author: Pepe
- Difficulty: medium
I did not managed to solve this challenge in the challenge time period, and needed a nudge from Pepe after the challenge ended to be able to solve this one.
After doing some initial scanning with
skipfish this is what I’ve found.
ls -la -rw-r--r-- 1 kali kali 142 Feb 27 20:24 solve.txt cat solve.txt Ports open: 22 ssh 80 http 443 https https://poison-for-tomorrow.secchallenge.crysys.hu/index.php?page=/../../../../../../../../../etc/passwd
Nothing to see here right? Right. So anyway, I started playing with the Countdown clock.
Needless to say, I got to nowhere with that, and didn’t managed to solve the challenge.
After the challenge was over I got the hint, that I may want to look into
Log Poisoning. About the first search with google returned the answer, LFI to RCE vulnerability. With this knowledge it was easy to put together a python script, that did the following:
- Send a request to
countdown.htmlwith a PHP injected
User-Agent, our good old PHP one-liner friend will do here too:
<?php foreach(scandir(".") as $file) echo $file."<br>"; ?>
/var/log/apache2/access.logto see the leaked folder
- Look for the flag at
… goddammit, the challenge won here, initially.
The acquired flag is: