{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-n1ctf-2021-en","result":{"data":{"markdownRemark":{"id":"42d855a5-a531-53a5-a45b-5af7cd78b924","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-n1ctf-2021\">original page</a>.</p>\n</blockquote>\n<p>I participated in n1CTF, which ran from November 20, 2021.</p>\n<p>Unfortunately I could not solve any of the problems, so this article is entirely about reviewing what I missed.</p>\n<p>I am going through the challenges using other participants’ writeups as references.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#signin-web\">Signin (Web)</a></p>\n<ul>\n<li><a href=\"#isset_gettime\">isset($_GET[‘time’])</a></li>\n<li><a href=\"#file_get_contentsphpinput\">file<em>get</em>contents(‘php://input’)</a></li>\n<li><a href=\"#bypassing-date\">Bypassing date()</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"signin-web\" style=\"position:relative;\"><a href=\"#signin-web\" aria-label=\"signin web permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Signin (Web)</h2>\n<p>You can access a website running the following PHP script:</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span> \n<span class=\"token comment\">//flag is /flag</span>\n<span class=\"token variable\">$path</span><span class=\"token operator\">=</span><span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'path'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$time</span><span class=\"token operator\">=</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">isset</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_GET</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'time'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">?</span> <span class=\"token function\">urldecode</span><span class=\"token punctuation\">(</span><span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token function\">file_get_contents</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'php://input'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">:</span> <span class=\"token class-name return-type\">date</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"Y/m/d H:i:s\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$name</span><span class=\"token operator\">=</span><span class=\"token string double-quoted-string\">\"/var/www/tmp/\"</span><span class=\"token operator\">.</span><span class=\"token function\">time</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token operator\">.</span><span class=\"token function\">rand</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token operator\">.</span><span class=\"token string single-quoted-string\">'.txt'</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$black</span><span class=\"token operator\">=</span><span class=\"token string double-quoted-string\">\"f|ht|ba|z|ro|;|,|=|c|g|da|_\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$blist</span><span class=\"token operator\">=</span><span class=\"token function\">explode</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"|\"</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$black</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">foreach</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$blist</span> <span class=\"token keyword\">as</span> <span class=\"token variable\">$b</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span><span class=\"token function\">strpos</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$path</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$b</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">!==</span> <span class=\"token constant boolean\">false</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">die</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'111'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span><span class=\"token function\">file_put_contents</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$name</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$time</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"&lt;pre class='language-html'>&lt;code class='language-html'>logpath:<span class=\"token interpolation\"><span class=\"token variable\">$name</span></span>&lt;/code>&lt;/pre>\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token variable\">$check</span><span class=\"token operator\">=</span><span class=\"token function\">preg_replace</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'/((\\s)*(\\n)+(\\s)*)/i'</span><span class=\"token punctuation\">,</span><span class=\"token string single-quoted-string\">''</span><span class=\"token punctuation\">,</span><span class=\"token function\">file_get_contents</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$path</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span><span class=\"token function\">is_file</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$check</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"&lt;pre class='language-html'>&lt;code class='language-html'>\"</span><span class=\"token operator\">.</span><span class=\"token function\">file_get_contents</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$check</span><span class=\"token punctuation\">)</span><span class=\"token operator\">.</span><span class=\"token string double-quoted-string\">\"&lt;/code>&lt;/pre>\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></span></code></pre></div>\n<p>The Flag is located at the path <code class=\"language-text\">/flag</code>, but the <code class=\"language-text\">path</code> data sent via POST is filtered by a blacklist.</p>\n<p>My original assumption was that this involved crafting an eval-like statement using characters not on the blacklist so that <code class=\"language-text\">$check</code> would ultimately contain <code class=\"language-text\">/flag</code> — but that turned out to be wrong.</p>\n<p>The key to obtaining the Flag is focusing on this line:\n<code class=\"language-text\">$time=(isset($_GET['time'])) ? urldecode(date(file_get_contents('php://input'))) : date(\"Y/m/d H:i:s\");</code></p>\n<h3 id=\"isset_gettime\" style=\"position:relative;\"><a href=\"#isset_gettime\" aria-label=\"isset_gettime permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>isset($_GET[‘time’])</h3>\n<p>This expression checks whether a variable exists — specifically, whether the GET query contains <code class=\"language-text\">time</code>.</p>\n<p>Reference: <a href=\"https://www.php.net/manual/en/function.isset.php\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PHP: isset - Manual</a></p>\n<h3 id=\"filegetcontentsphpinput\" style=\"position:relative;\"><a href=\"#filegetcontentsphpinput\" aria-label=\"filegetcontentsphpinput permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>file<em>get</em>contents(‘php://input’)</h3>\n<p>This script is called when the GET query contains <code class=\"language-text\">time</code>.</p>\n<p><code class=\"language-text\">file_get_contents('php://input')</code> retrieves the raw request body below the HTTP headers.</p>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/8893574/php-php-input-vs-post\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ajax - PHP “php://input” vs $_POST - Stack Overflow</a></p>\n<p>Reference: <a href=\"https://qiita.com/hirotototototo/items/d81bc081d6abfd6cc66f\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">What is PHP file<em>get</em>contents()? - Qiita</a></p>\n<h3 id=\"bypassing-date\" style=\"position:relative;\"><a href=\"#bypassing-date\" aria-label=\"bypassing date permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bypassing date()</h3>\n<p>As described above, the request data obtained as a string via <code class=\"language-text\">file_get_contents('php://input')</code> is passed to the <code class=\"language-text\">date()</code> function.</p>\n<p>Reading the <a href=\"https://www.php.net/manual/en/function.date.php\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">official documentation</a> reveals this format sample:</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span>\n<span class=\"token comment\">// Assuming today is March 10th, 2001, 5:16:18 pm, and that we are in the</span>\n<span class=\"token comment\">// Mountain Standard Time (MST) Time Zone</span>\n\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"F j, Y, g:i a\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                 <span class=\"token comment\">// March 10, 2001, 5:16 pm</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"m.d.y\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                         <span class=\"token comment\">// 03.10.01</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"j, n, Y\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                       <span class=\"token comment\">// 10, 3, 2001</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"Ymd\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                           <span class=\"token comment\">// 20010310</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'h-i-s, j-m-y, it is w Day'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>     <span class=\"token comment\">// 05-16-18, 10-03-01, 1631 1618 6 Satpm01</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'\\i\\t \\i\\s \\t\\h\\e jS \\d\\a\\y.'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>   <span class=\"token comment\">// it is the 10th day.</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"D M j G:i:s T Y\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>               <span class=\"token comment\">// Sat Mar 10 17:16:18 MST 2001</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'H:m:s \\m \\i\\s\\ \\m\\o\\n\\t\\h'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>     <span class=\"token comment\">// 17:03:18 m is month</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"H:i:s\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                         <span class=\"token comment\">// 17:16:18</span>\n<span class=\"token variable\">$today</span> <span class=\"token operator\">=</span> <span class=\"token function\">date</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"Y-m-d H:i:s\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                   <span class=\"token comment\">// 2001-03-10 17:16:18 (the MySQL DATETIME format)</span>\n<span class=\"token delimiter important\">?></span></span></code></pre></div>\n<p>As you can see from <code class=\"language-text\">date('\\i\\t \\i\\s \\t\\h\\e jS \\d\\a\\y.');</code>, prefixing characters with a backslash prevents <code class=\"language-text\">date()</code> from treating them as date-format tokens, so the backslash-escaped characters are output literally.</p>\n<p>Using this behavior, sending <code class=\"language-text\">\\/\\f/l\\/a/g</code> as POST data causes <code class=\"language-text\">$time</code> to ultimately contain <code class=\"language-text\">/flag</code>, from which the Flag can be retrieved.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I really wanted to review the Rev problems too, but I could not find any writeups for them.</p>\n<p>I will update this article if I find some.</p>","fields":{"slug":"/ctf-n1ctf-2021-en","tagSlugs":["/tag/ctf-en/","/tag/web-en/","/tag/english/"]},"frontmatter":{"date":"2021-11-26","description":"I participated in n1CTF, which ran from November 20, 2021. Unfortunately I could not solve any problems, but I am reviewing what I missed with the help of other writeups.","tags":["CTF (en)","Web (en)","English"],"title":"N1CTF 2021 Writeup","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-n1ctf-2021-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}