noxCTF 2018 - Write-ups - Part 2



200 - MyFileUploader - Web#

This is my new file uploader server. I bet you can't hack it!

Initial thoughts#

Well, I bet I can. We are presented with a very basic uploading webpage as you can see :


Let's go ahead and try to upload this very cute, basic .jpg picture :



Works. And as we can see, it also gives us the path where we can find this picture on the server :

Before exploring this path, let's try to upload a very simple webshell named shell.php. It is actually Arrexel's script, as I find it very handy.


Nope. Doesn't want it, not surprisingly. After I tried different things, I understood I only needed to put .png, .jpg or .gif anywhere in the name of the file. So the server would still take evilshell.jpg.php as a valid input, but it would automatically erase .php if present at the end of the filename. That was a problem.

Then I went to explore the path /uploads and I found a directory called Don't open. Guess what? I opened it.

Inside was lying a .htaccess file with a very interesting content :

Options +Indexes
AddType application/x-httpd-php .cyb3r

This means that any file ending with the home-made extension .cyb3r will be processed by the server as php code. Nice.

It was actually pretty straight forward after that.


Let's take our phpbash shell and rename it to shell.png.cyb3r, then upload it.

Worked! The moment of truth now... Let's navigate to our upload path and...


Yep! Got a webshell, thanks to Arrexel. :smile:

Now let's just list what's inside this exciting 7H3-FL4G-1S-H3r3 folder :


Flagged : noxCTF{N3V3R_7RU57_07H3R5}

After thoughts#

Interesting use of .htaccess which I never heard about before. Also, felt nice to use Arrexel's script again.