Write-up piapiapia(6) – 0ctf 2016 Quals

Firstly, Thanks for Phieu Lang, idol Law.io and “meepwn.CLGT” to hold boot camp and capture the flag together. We finish with 41 point and rank 12th. scoreboard

Start with piapiapia(6), we have  Source code, after read and built localhost completely, I realize we can register, login, update information. But mode register, login and update information are filter carefully, that should be very difficult to Inject or XSS. But we could be easily to recognize something can be happen in avatar image upload. When we upload image, it ‘s really have no method to filter content and only modify this image with filename_tosave = md5(filename_upload). Exactly we shouldn’t post php shell because it can’t be execute. But not for Javascript. I try to upload image with content Javascript alert(‘xam’) and something fun happen ^_^.Capture.PNG

I decide to make a shell Javascript to create a file php to call $flag from config.php.

But it doesn’t work. Maybe this file do not have permission to create.

Let try to login with ‘admin’.

from source code, This can’t be easily to know this table only have 2 column ‘username’ and password.


Try to log in with an account (user:password) = (admin:admin) , it’s fail. Capture.PNG


But looking carefully, it no check after filter. It’s mean we can bypass login with register.

Something I found from my idol “Tsu”: “admin\000” ~ “admin”.

I try to register with an account (“admin\000″:”admin”) and then login with (“admin”:”admin”). Successful. Yeah, I got ‘admin’ account !! ^.^!

Let update information with Javascript shell. Log out and waiting for the BOT check my profile (‘admin’ is BOT).

Finally We have the flag. Bravoh!!Capture

Suddenly, someone check this BOT, amazing !!!


Because of The Server was brought down, so everything I do only in localhost.

If you see any problem, please leave comment below!

Thanks for reading.