Try

REFERENCE

http://rawsec.ml/en/C3CTF-33-150-try-web/

Description

“I never try anything, I just do it!” Do

Flag is in /challenge/flag

MindNode

mindnode

Solution

Login with what you like.

login

And test the load and run function.

The load function will load the selected option's value as the path, and read the file.

The run function will run the specific file which the hidden input value shows. And it must be a valid haskell source code file.

ghc $_POST['run_file']

And try to using path traversal but failed. It will detect the beginning of the value, if it contains .. or ./../, reports Possible path traversal detected!. So we shall not load or run the file outside the directory.

path

So try to find another way. Look at the upload page and profile page. The upload page is not implemented. And user can change their name and avatar on the profile page, and the only entrance.

profile

However, it can’t upload any files except gif. And the image size must larger than a small int. So try to upload a fake gif image.

The gif image format starts with GIF89a. So try to construct a haskell program which starts with GIF89a.

It's difficult until the contest ends. :)

We can write as this:

GIF89a = GIF89a{--}
data GIF89a = GIF89a
main = do  
    contents <- readFile "/challenge/flag"
    print $ contents

And then upload the file, the avatar's path is in the same directory as the haskell file. So run the image, and get the result.

result