DigitalOverDose — CTF

6 min readOct 10, 2021

Hello y’all, this is shellbreak again with another CTF. As I’m working as a web application penetration tester, I focus only on web challenges in CTFs, and in today’s write up, I’m going to showcase how I solved the only 3 web challenges in Digitaloverdose CTF. So, enough talking, and let’s jump in.

Challenge 1

This was a quite easy challenge.

First I opened the intsance in a web browser and intercepted the request with burpsuite.

As we can see, we have a parameter called file to which we can pass file names, and then the application renderes the file’s content.

right of the bat, the first thing to consider here is LFI, so trying /etc/passwd

gives the following results.

Great, now that we confirmed the LFI, it’s time to see how we can get the flag.

As you may have noticed, there’s a php file called index.php , so let’s use phph:// wrapper to get the source code, and see if it has anything to do with the flag.

php://filter/convert.base64-encode/resource=index.php

As a response, we get the content of index.php in a base64 encoded format.

Let’s grab that encoded text and decode it.

In the source code, the developer’s mentioned that there’s a secret stored in /bin/secret.txt , let’s exploit that LFI again to read the file.

Great, we got our flag, now all we need to do is to change the BUHC to DO in order to fit the flag format required.

Challenge 2

This challenge was quite interesting to me, as I learned about something called “broken commits”.

First let’s open the lab instance in our web browser.

We are presented to this encrypted text, and a message saying Only if you could see the source code , so let’s do a simple content discovery here.

Keep in mind that the encrypted text gets changed each time we refresh the page.

As seen in the screenshot, there’s a .git directory. Let’s see if we can access it.

At this point, I started looking for things like bypassing 403 restrictions, but that wasn’t the case. Eventually, as I was googling the challenge creator’s name (believe me, I don’t even know what made me do that). But, I found a write up about a so-called broken commits , and it is when you can’t access the .git directory as a whole but you still can access the inside files (for instance HEAD file).

Link to the write up: https://0x0elliot.medium.com/git-good-a-web-ctf-dealing-with-broken-git-commits-f879163557f9

In the write up there was a tool called GitTool which I used to solve this challenge. After cloning the repo to my kali machine,

Command: /opt/GitTools/Dumper/gitdumper.sh http://193.57.159.27:29675/.git/ ./

And what this tool does is, it tries to brute force the files inside .git and download them.

Now that we have the .git directory downloaded, we need to recover the source code.

We need to run in from inside the directory in which the .git directory is stored.

Now we have the source code of the challenge, so let’s take a look at index.php .

We have 3 important things to focus on in this code:

encrypt function

2. decrypt function

3. The encryption key

Considering you have php installed on your machine, we need to modify the code a little bit.

Keep in mind that this script uses mbstring functions, so in case you get any errors, make sure to install it using:

sudo apt install php7.4-mbstring

Note: 7.4 is the installed php version in my case, make sure you install the compatible version on yours.

After modifying the script, let’s run it with

php index.php

And, voila!!!

we got our flag :)

Challenge 3

Now, as you can see in the screenshot above, I managed to get first blood on this challenge ;)

And OMG, the thrill I felt was amazing.

Opening the challenge instance in the browser gives us this page

We can download the souce code by clicking on source .

From the source code, we see that the function madlib is executed upon sending a POST request with 5 parameters to /madlib endpoint.

In order to get the passed values rendered in the response, a param’s value length has to be less than 21.

Sending the following request:

we get this response:

seeing the 7777777 confirms that the app is vulnerable to SSTI. However, with the if statement, we can’t just execute any payload we want.

After thinking for a bit. I took another look at the source code.

notice that the params are parsed in JSON format (which can be seen from the screenshot of burp repeater).

And this got me thinking.

the values I’ve passed in the previous request were strings, so what would happen if I passed arrays instead?

As you know, len() functions count each character in the case of strings, but if we use arrays, it’s going to count the elements of the array regardless of the count of each element ;)