Writeup: MARIO
Mario was a challenge in WhiteHat Grandprix 2017 created by Bkav Team. Mario’s point was small hence this would be an easy challenge to be solved. Although some error when deploying would lead this challenge to be solved by another way, this is the correct answer of Mario.
Ok, now let’s start.
PART 1: LOGIN
When we open the link, a screen like above will be shown. It is obvious a mission for us to find a way to log in to this site, to prove you are capable of helping the princess
After trying several popular username (like root, admin), nothing special happened except the login failed line. SQL injection also did not work. What I think next was to check the page source.
Can you see anything irregular? Yes, jquery doesn’t have 1.6.11 version!
So there must be something inside. Take a look at jquery js file. It seems to be a normal jquery file. But you can write a simple tool to check the different between a normal jquery file (in this case the original version was 3.2.1) with this file, and you will see what had been hidden. Or if you want to find by yourself, think about this challenge’s name: Mario. So by searching the word “mario”, you will find the following:
Oh, now there are a lot of binary bits here. You can easily figure out that this is a Morse code, by converting the bit 1 as - and bit 0 as _, you will be able to decode the message:
USERNAME IS CTFMARIO PASSWORD IS JUSTBEGIN
Ok, now everything is simple. Just login by CTFMARIO as username, and JUSTBEGIN as password, you will now head to the second part of this challenge: upload files.
PART 2: UPLOAD FILES
After successfully login, a screen like this will be shown.
It has the form of file uploading. It says us to upload an image file, so try to do that. It works
Now let’s think about something bigger. If we are able to upload an image file, so it’s very likely we can upload something more maliciously! B-)
But life is full of pain… When we try to choose a file which is not an image file (checking the extension, files with extension not .png and .jpg are illegal), the following message will appear :<
But this little problem isn’t a reason to give up. We can see that this is a javascript message, so it suggests me a way to bypass this: disable the javascript of browser. And it works! From now if we choose a file with any extensions, the above message won’t appear. Although it still prohibits us from uploading strange extension files, it somehow allows us to upload files with extension .php. Now we can try to upload any shell with php extension, and it seems we are on right way!
Ok, now let’s find where the shell we uploaded is. It’s easy to guess that it is somehow related to the picture we uploaded before. Open the link of the picture, change the extension from .jpg to .php, and tadaa! A shell interface appear! It may not seems like the interface of the shell you uploaded before, because the server has changed your shell to a “less dangerous one”, a shell with limited usage. But no problem. We did very well, and now we are going to the final part: rescue the princess, and find the flag!
PART 3: FIND FLAG
Here is the interface of the shell.
Let’s try some command. After several trials, we learn that only “ls” and “cat” command are usable, any other commands had been blocked even we try them by chain command or something like that. This can be inferred from the phrase “in this world only meow meow-s are acceptable”. Meows meows is cat’s cry, hence only cat and ls can be used.
So first let’s use ls. A list of directory appears.
Now we know there’s directories named from A→Z. Try ls A/A, and a directory similar appears. It’s like we are lost in a maze. But we can know that there’s only 4 level of directory: after A/A/A/A there’s no directory, but a file named fl4g! However, there’s nothing in this file :<
Trying with some other directories, sadly those files still have no flag inside, even with meaningful directory name like F/L/A/G… Ok, this needs a little deduction. We should take a look at the words above, and we can easily guess the correct directory is E/A/S/Y, as only the “easy” word is the first word of the line but not capitalized. Moreover, “easy, huh” can make us think the answer is “EASY” indirectly.
Now, just cat E/A/S/Y/fl4g, and you will get the flaggg!!!
Finally, the challenge is solved, just submit the flag, and get points!
