32C3: “MonkeyBase” WriteUp

A group of highly trained monkeys from outer space have been using earthlings technology to communicate ( over the web ). we want to know their secrets and intentions so we infiltrated them. Here’s their platform of communication and an invite key:

http://136.243.194.35/

invite key: d991065ab84307e7904e2b9b515a2d69

MonkeyBase was a simple PHP application that allowed users to chat. Let’s register ourselves using the invite key provided in the challenge description. We can now send messages to everyone who is currently logged in.

The “Help” Section mentions that we can use some BB codes in our messages, one of them is [URL]. After sending a link, the web app provides a preview of the url.

Let’s see if we are able to get a “preview” of local files!

Nice! We can read arbitrary files on the server. Let’s get the source code of the file /var/www/html/index.php  using the same procedure:

On line 5 we can see that they include a config.php file, so let’s do the same again and read the file  /var/www/html/config.php :

Line 8 sounds very interesting:  // Area51 is on /SuperMonkeysArea51/ SuperMonkey:w34r3th3sup3r0ut3rsp4c3cr34tur35

Visiting http://136.243.194.35/SuperMonkeysArea51 serves us a basic HTTP Authentication. Luckily we were given the credentials in the comment of the config.php file:  SuperMonkey:w34r3th3sup3r0ut3rsp4c3cr34tur35.

We now get an Apache directory listing with only one file in it:  d322289ce0ddbf435603455bf0ecf1b36b5cc79a_note.php . If we try to open it we get a blank page, but according to the directory listing, the file size is 106 Bytes (so it’s not empty!). Let’s do one last file read, this time reading our newly discovered file /var/www/html/SuperMonkeysArea51/d322289ce0ddbf435603455bf0ecf1b36b5cc79a_note.php :

Flag:  32c3_W3_4re_Ju57_An_Adv4nc3d_Br33d_0f_Monkeys_0n_A_M1n0r_Plan3t_0f_A_V3ry_Av3r4ge_St4r

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.