preg_replace is a PHP function that uses PCRE, deprecated in PHP version 5.5.0 ( yo should use preg_replace_callback instead), its main goal is, as its name suggests, string replacement, let´s see an example :
<?php $string = ' Ugly level'; $pattern[0] = '/Ugly/'; $pattern[1] = '/level/'; $replacement[0] = 'Tricky'; $replacement[1] = 'function'; echo preg_replace($pattern, $replacement, $string);>
Output will be «Tricky function»
Problem arises when using «e» modifier, which allow us to use native PHP functions in replace parameters, like the example in this level,
function spam($email) { $email = preg_replace("/\./", " dot ", $email); $email = preg_replace("/@/", " AT ", $email); return $email; } function markup($filename, $use_me) { $contents = file_get_contents($filename); $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents); $contents = preg_replace("/\[/", "<", $contents); $contents = preg_replace("/\]/", ">", $contents); return $contents; } $output = markup($argv[1], $argv[2]); print $output;
Let´s see how it works, we have set up a file in /tmp that contains 2 lines that will produce two different behaviors within the vuln function of this level, I´ve to say I had to read so many documentation regarding this, but that´s the main reason why i started these challenges, +1PHP,+1PRIVESC+1PCRE,-1preg_repplace,so funny!
First red box shows a /tmp/file we´re passing through the PHP sink function , second box shows id executed from flag09 user, that we want to escalate in, and third red box shows normal behavior of the program, note that flag09.php is executed by a binary that flag09 owns, as you can see in the above picture too.
«There’s a C setuid wrapper for some vulnerable PHP code…»
So if we are able to execute code, it will be under flag09 privileges
For last, I´ve to say I would be caught this time if some admin implemented the method I described in my last post about fsnoop