[Hack-Along] Stripe Web CTF - Level One- [SPOILERS]

Submitted by Penetration Testing on Mon, 27/08/2012 - 13:56

So, you've beaten level 0 and are now at the heady heights of level 1, where we are faced with another simple webapp that is hiding a secret from us.

In this webapp, guessing the secret combination (which is stored in the file 'secret-combination.txt' will print out the password to level 2 (stored in the file 'level02-password.txt').

Tip

Not ready to read the spoiler yet but want a tip? This challenge is based around a PHP script. One of the best ways to start is to check out the source and look up any procedure calls you are not familiar with in the PHP Documentation

Click, read more to view the full solution.

Looking at the source provided we can see a very simple webapp that grabs a user variable, compares it to the contents of the secret-combination.txt file and (if it matches) print out the secret.

A couple of things in the code immediately jump out.

The first is the use of extract(), which will turn ALL user provided paramaters into PHP variables. This will allow us to create arbitrary variables with arbitrary data.

The second problem is that the $filename variable that is set to 'secret-combination.txt' is set before the call to extract(). 


 With these two issues, we can overwrite the $filename parameter to arbitrary content of our choice and subvert the rest of the program. 


To do this, we merely specify extra parameters when submitting our guess.  


A sample modified request could look like 


http://level01-2.stripe-ctf.com/user-youruserstring/?attempt=foo&filename=bar

So, to subvert the behaviour of this webapp... what happens if the $filename variable is empty?  


The following piece of code will behave in an unexpected way.


$combination = trim(file_get_contents($filename));


 The PHP fucntion file_get_contents when presented with an empty string will open no file, and therefore return an empty string. So if we provide an empty string as our guess and an empty string to override the $filename variable like so:


http://level01-2.stripe-ctf.com/user-youruserstring/?attempt=&filename=

The guessing game will check that an empty string matches an empty string (which are things that match!) and print out the contents of level02-password.txt for us!


As with level 0, if you found a different way of completing this challenge, tell us about it in the comments!  Stop back soon for level 2.

Comments

ss23 - Fri, 31/08/2012 - 01:11

Just as a note, calling file_get_contents() on an empty string will trigger a PHP warning. Perhaps not a big deal, but in a real world situation, a less noisy approach might be to open a file we know to give us an empty string, such as /dev/null. This will achieve the outcome we want, without generating a PHP error.