noxCTF 2018 - Write-ups - Part 2

๐Ÿ”—Information

๐Ÿ”—CTF

๐Ÿ”—200 - MyFileUploader - Web

This is my new file uploader server. I bet you can't hack it!

http://chal.noxale.com:8079

๐Ÿ”—Initial thoughts

Well, I bet I can. We are presented with a very basic uploading webpage as you can see :

Basicupload

Let's go ahead and try to upload this very cute, basic .jpg picture :

Kitten

Kitten

Works. And as we can see, it also gives us the path where we can find this picture on the server : http://chal.noxale.com:8079/uploads/kittens.jpg

Before exploring this path, let's try to upload a very simple webshell named shell.php. It is actually Arrexel's script, as I find it very handy.

Nope

Nope. Doesn't want it, not surprisingly. After I tried different things, I understood I only needed to put .png, .jpg or .gif anywhere in the name of the file. So the server would still take evilshell.jpg.php as a valid input, but it would automatically erase .php if present at the end of the filename. That was a problem.

Then I went to explore the path /uploads and I found a directory called Don't open. Guess what? I opened it.

Inside was lying a .htaccess file with a very interesting content :

1
2
Options +Indexes
AddType application/x-httpd-php .cyb3r

This means that any file ending with the home-made extension .cyb3r will be processed by the server as php code. Nice.

It was actually pretty straight forward after that.

๐Ÿ”—Exploitation

Let's take our phpbash shell and rename it to shell.png.cyb3r, then upload it.

Worked! The moment of truth now... Let's navigate to our upload path and...

Yep

Yep! Got a webshell, thanks to Arrexel. :smile:

Now let's just list what's inside this exciting 7H3-FL4G-1S-H3r3 folder :

Flag

Flagged : noxCTF{N3V3R_7RU57_07H3R5}

๐Ÿ”—After thoughts

Interesting use of .htaccess which I never heard about before. Also, felt nice to use Arrexel's script again.

Share