INTRO
Sharky CTF has been ended. but you can still register and login. it doesn’t matter if theĀ CTF has been ended or not, what always matters most is to learn new things.
I heard about this CTF by a friend. I think that when he told me about Sharky CTF, it was only 4 hours left at the starting of CTF. and I didn’t try to attempt all challenges. I saw that the Blockchain challenges were so hard. obviously, they were not made for a script kiddie. I tried to attempt some web, network, misc, and steganography challenges.
Congratulations to the winner team ApĆ©ri’Kube. it is a team from France. they won the prize. “One month of HTB Prolab + one month of a different Prolab” was supposed to be given to the first winner from HTB. HTB and Ensibas sponsored this CTF.
Today, we will learn about polyglot files and we will see how a polyglot file actually works. it was new for me too. I didn’t know about polyglot files before. it was in a misc challenge named “Erwin’s File Manager”. it was 197 points. which seems pretty ok after what we have to do in this challenge.
Attack
First, login into the Sharky CTF. find the misc challeges.
Screenshot:
Click on the “Erwin’s File Manager” challenge.
Screenshot:
we got a hint or description (whatever you want to call it) of the challengeĀ “Erwin just built himself a website. He is talking about quantum information science but in the end he doesn’t know much about infosec. Could you help him fulfill his goal by reapplying quantum concept on this website”
But for now, let’s just ignore it. because we have no idea about the website. Honestly, I couldn’t find any useful information on this. But let me know by comments if you find something interesting.
Now, open the given URL: erwin.sharkyctf.xyz/
Screenshot:
If you look deeply, you will find the word “Merge”. we also have an upload page. Click on the blue link(upload page).
Screenshot:
it seems to a simple script which is running or going to run. it is just to give us the idea of how the server will check an uploaded file.
look at these lines:
<span class="token comment"># ĆberprĆ¼fen Sie das Dateiformat</span>
is_ELF <span class="token operator">=</span> check_ELF<span class="token punctuation">(</span>filename<span class="token punctuation">)</span>
is_PDF <span class="token operator">=</span> check_PDF<span class="token punctuation">(</span>filename<span class="token punctuation">)</span>
is_JAR <span class="token operator">=</span> check_JAR<span class="token punctuation">(</span>filename<span class="token punctuation">)</span>
is_JPG <span class="token operator">=</span> check_JPG<span class="token punctuation">(</span>filename<span class="token punctuation">)</span>the comment is in German. it means “# Check the file format”. basically, it is telling us that server is checking if the uploaded file is an elf, pdf, jar, and jpg or not.
next lines are these following:
<span class="token keyword">if</span> is_ELF <span class="token keyword">and</span> is_JAR <span class="token keyword">and</span> is_PDF<span class="token punctuation">:</span>
put_aside<span class="token punctuation">(</span>filename<span class="token punctuation">)</span>
<span class="token keyword">return</span> upload<span class="token punctuation">(</span>msg<span class="token operator">=</span>SECOND_PART_OF_FLAG<span class="token punctuation">)</span>
<span class="token keyword">elif</span> is_ELF <span class="token keyword">and</span> is_JAR<span class="token punctuation">:</span>
put_aside<span class="token punctuation">(</span>filename<span class="token punctuation">)</span>
<span class="token keyword">return</span> upload<span class="token punctuation">(</span>msg<span class="token operator">=</span>FIRST_PART_OF_FLAG<span class="token punctuation">)</span>
<span class="token keyword">elif</span> is_JPG <span class="token keyword">and</span> is_JAR<span class="token punctuation">:</span>
put_aside<span class="token punctuation">(</span>filename<span class="token punctuation">)</span>
<span class="token keyword">return</span> upload<span class="token punctuation">(</span>msg<span class="token operator">=</span>THIRD_PART_OF_FLAG<span class="token punctuation">)</span>there are some conditions that are checking for the file format.
If you will scroll down, you will find this:
let’s just upload a wrong file. I mean, just a JPG file. you can try it yourself.
I have this love.jpg to upload. if I upload this file, I get an error “Bad file”. which is obvious, the website is not just asking for a file. it is asking for two file formats in one file.
Screenshot:
And that’s where the concept of the Polyglot file comes.
Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, aĀ GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc. Read more…
So, we are going to upload a Polyglot file. I saw some python scripts on Github which can be used to generate a Polyglot file. but I saw a GitHub page where all kinds of Polyglot files were present.
Go to this Page: github.com/Polydet/polyglot-database/tree/master/files
we are going to upload files according to the conditions, given in the script. first, look at this: <span class="token keyword">if</span> is_ELF <span class="token keyword">and</span> is_JAR <span class="token keyword">and</span> is_PDF<span class="token punctuation">:</span>
it seems that it is asking for jar, elf, and pdf file. now, if you take a look at the GitHub page, you will find the ELF+JAR+PDF file.
Screenshot:
After that,Ā download the file and upload it on the website. this time, you must get a flag with a green color instead of some error.
Screenshot:
I am showing the flag. because the CTF is over. otherwise, you know me very well. I would never do that.
I hope now you might have understood the use of the Polyglot file here. You can test other Polyglot files for other conditions to get 2 more flags.
Thanks For visiting
