Information#
CTF#
- Name : noxCTF 2018
- Website : ctf18.noxale.com
- Type : Online
- Format : Jeopardy
- CTF Time : link
200 - MyFileUploader - Web#
This is my new file uploader server. I bet you can't hack it!
Initial thoughts#
Well, I bet I can. We are presented with a very basic uploading webpage as you can see :
Let's go ahead and try to upload this very cute, basic .jpg picture :
Works. And as we can see, it also gives us the path where we can find this picture on the server : http://chal.noxale.com:8079/uploads/kittens.jpg
Before exploring this path, let's try to upload a very simple webshell named shell.php. It is actually Arrexel's script, as I find it very handy.
Nope. Doesn't want it, not surprisingly. After I tried different things, I understood I only needed to put .png, .jpg or .gif anywhere in the name of the file. So the server would still take evilshell.jpg.php as a valid input, but it would automatically erase .php if present at the end of the filename. That was a problem.
Then I went to explore the path /uploads and I found a directory called Don't open. Guess what? I opened it.
Inside was lying a .htaccess file with a very interesting content :
1 | Options +Indexes |
This means that any file ending with the home-made extension .cyb3r will be processed by the server as php code. Nice.
It was actually pretty straight forward after that.
Exploitation#
Let's take our phpbash shell and rename it to shell.png.cyb3r, then upload it.
Worked! The moment of truth now... Let's navigate to our upload path and...
Yep! Got a webshell, thanks to Arrexel. :smile:
Now let's just list what's inside this exciting 7H3-FL4G-1S-H3r3 folder :
Flagged : noxCTF{N3V3R_7RU57_07H3R5}
After thoughts#
Interesting use of .htaccess which I never heard about before. Also, felt nice to use Arrexel's script again.