Post

STANDCON CTF - Specimens

Description

Collected a bunch of specimens on our last run, wonder if there is more we misplaced.

http://20.198.209.142:55042

The flag is in the flag format: STC{…}

Author: LegPains

Solution

The website didn’t seem much at first, but looking into the HTML code, we see something interesting:

1
2
3
4
5
6
7
8
9
10
11
<ul class="nav">
	<li class="nav-item">
		<a class="nav-link active" href="?specimen=turtle.php">Specimen 1</a>
	</li>
	<li class="nav-item">
		<a class="nav-link active" href="?specimen=meteorite.php">Specimen 2</a>
	</li>
	<li class="nav-item">
		<a class="nav-link active" href="?specimen=astronaut.php">Specimen 3</a>
	</li>
</ul>

We see that each of the links in the navbar are pointed to the same page, but with the location of another .php file specified in the specimen parameter! The next step would probably to test for Local File Inclusion (LFI) vulnerabilites.

We first tried specimen=/etc/passwd and got no result, so we appended multiple ../ to the front to get specimen=../../../../../../../etc/passwd and we still got no results! What’s going on? Could the page be doing some form of filtering against ../?

To summarize what we tried, here is a list of payloads and results that let us deduce that it was doing one pass of replacing all ../ with blanks:

1
2
3
4
turtle.php                                     => shows turtle page
../turtle.php                                  => show turtle page
....//turtle.php                               => no turtle page
....//....//....//....//....//....//etc/passwd => show contents of /etc/passwd

We also observed that submitting an absolute path in specimen will not work as the specimen value might be prefixed with some directory in the code before including it.

Now that we have a full understanding of the protective measures in place, the next step was figuring out where the flag was. CTFs tend to name their flag files as flag.txt, so we tried a few locations and ....//....//flag.txt worked!

Flag

STC{StRINg_r3PLace_I5_n0T_ReCUR5ive}

This post is licensed under CC BY 4.0 by the author.