Based off the name of the challenge we know the interesting stuff is in the
CONTACT US section of the site:
Looking at the source and packet headers we see the site is in php. The challenge description mentions how dangerous mailing libraries can be, let's see if we can find a nice exploit.
We found a nice cve that shows how you could get remote code execution from PHPMailer, seems like it fits like a glove to our situation.
We filled the form using parameters from their POC:
Name: 1337 H4X0r Email: "attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com Message: <?php phpinfo(); ?>
After disabling the
type="email" and filling out the captcha we got this message:
You are so close! please change the backdoor location to: /var/www/html/cache/d0bcbc798d7b.php.
Looks like we're golden. Changing our paramaters according to the message, and updating our php payload to something more useful:
Name: 1337 H4X0r Email: "attacker\" -oQ/tmp/ -X/var/www/html/cache/d0bcbc798d7b.php some"@email.com Message: echo exec('cat $(find / -name flag.txt)');
We again disabled
type="email", filled out the captcha and submitted the form. Now after waiting an eternity the page reloaded and we could finally navigate to:
There towards the end of the output we found the flag: