CODEGATE2010 CTF Level 11

Here's my last writeup, as in the time available I was not able to solve more.
maybe I'll publish writeups of the ones solving right now but I'm not sure yet.

Level 11's description was:

  • credentials: http://ctf6.codegate.org/31337_/index.html
  • Get a value of HKLM\Software\codegate2010, it's the flag.
  • When looking at the website I tried to upload some sample files, tried to change the path were files are saved and so on but nothing of that worked.

    After that I decided to focus on the upload filter and collected some information about the host/webserver.
    As soon as I saw the HTTP response header was : Server: Microsoft-IIS/6.0
    I was pretty sure that the vulnerability which will help me is this one:

  • http://secunia.com/advisories/37831/
  • Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system.
    
    The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by ";", only one internal extension being equal to ".asp" (e.g. "file.asp;.jpg"). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.
    

    I was lucky enough that it really worked :)
    The problem I had now was:

    Warning: system() [function.system]: Unable to fork [dir] in C:\Inetpub\wwwroot1337_\upload\x.php;.jpg on line 3

    Executing commands on the server was not possible, so let's try to read the registry directly with php and print the result.
    I used this simple example I found via google:

    <?php
    $shell= &amp;new COM('WScript.Shell');
    $data=$shell-&gt;regRead('HKEY_LOCAL_MACHINE\Software\codegate2010');
    echo $data<
    ?>

    After uploading the new file I saw following string printed in my browser:

    LollerSkaterz_From_RoflCopters_XXXXXXXXXXX
    

    Level 11 solved as well :)

    © 2015 coma. All rights reserved.
    Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
    In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.