Hello y’all, this is shellbreak again with another CTF. As I’m working as a web application penetration tester, I focus only on web challenges in CTFs, and in today’s write up, I’m going to showcase how I solved the only 3 web challenges in Digitaloverdose CTF. So, enough talking, and let’s jump in.
This was a quite easy challenge.
First I opened the intsance in a web browser and intercepted the request with burpsuite.
As we can see, we have a parameter called
file to which we can pass file names, and then the application renderes the file’s content.
right of the bat, the first thing to consider here is LFI, so trying
gives the following results.
Great, now that we confirmed the LFI, it’s time to see how we can get the flag.
As you may have noticed, there’s a php file called
index.php , so let’s use
phph:// wrapper to get the source code, and see if it has anything to do with the flag.
As a response, we get the content of
index.php in a base64 encoded format.
Let’s grab that encoded text and decode it.
In the source code, the developer’s mentioned that there’s a secret stored in
/bin/secret.txt , let’s exploit that LFI again to read the file.
Great, we got our flag, now all we need to do is to change the
DO in order to fit the flag format required.
This challenge was quite interesting to me, as I learned about something called “broken commits”.
First let’s open the lab instance in our web browser.
We are presented to this encrypted text, and a message saying
Only if you could see the source code , so let’s do a simple content discovery here.
Keep in mind that the encrypted text gets changed each time we refresh the page.
As seen in the screenshot, there’s a
.git directory. Let’s see if we can access it.
At this point, I started looking for things like bypassing 403 restrictions, but that wasn’t the case. Eventually, as I was googling the challenge creator’s name (believe me, I don’t even know what made me do that). But, I found a write up about a so-called
broken commits , and it is when you can’t access the
.git directory as a whole but you still can access the inside files (for instance HEAD file).
In the write up there was a tool called
GitTool which I used to solve this challenge. After cloning the repo to my kali machine,
Command: /opt/GitTools/Dumper/gitdumper.sh http://18.104.22.168:29675/.git/ ./
And what this tool does is, it tries to brute force the files inside
.git and download them.
Now that we have the
.git directory downloaded, we need to recover the source code.
We need to run in from inside the directory in which the
.git directory is stored.
Now we have the source code of the challenge, so let’s take a look at
We have 3 important things to focus on in this code:
- encrypt function
2. decrypt function
3. The encryption key
Considering you have
php installed on your machine, we need to modify the code a little bit.
Keep in mind that this script uses
mbstring functions, so in case you get any errors, make sure to install it using:
sudo apt install php7.4-mbstring
Note: 7.4 is the installed php version in my case, make sure you install the compatible version on yours.
After modifying the script, let’s run it with
we got our flag :)
Now, as you can see in the screenshot above, I managed to get first blood on this challenge ;)
And OMG, the thrill I felt was amazing.
Opening the challenge instance in the browser gives us this page
We can download the souce code by clicking on
From the source code, we see that the function madlib is executed upon sending a POST request with 5 parameters to
In order to get the passed values rendered in the response, a param’s value length has to be less than 21.
Sending the following request:
we get this response:
seeing the 7777777 confirms that the app is vulnerable to SSTI. However, with the
if statement, we can’t just execute any payload we want.
After thinking for a bit. I took another look at the source code.
notice that the params are parsed in JSON format (which can be seen from the screenshot of burp repeater).
And this got me thinking.
the values I’ve passed in the previous request were strings, so what would happen if I passed arrays instead?
As you know,
len() functions count each character in the case of strings, but if we use arrays, it’s going to count the elements of the array regardless of the count of each element ;)
Indeed, it worked!!
Now let’s read that flag, shall we? ;)
So, that was it (unfortunately the CTF had only 3 web challenges), I hope you guys enjoyed reading, and I’ll see you all in the next write up.