I found a web app that can help process images: PNG images only!
🎯 Challenge Files & Infrastructure
Provided Files
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
with a form where it’s possible to upload a .png image. Uploading a random png file showed a successful upload. I decided to use the wappalyzer extension to understand which language and server type it was using:
Wappalyzer
As we can see, it runs on an Apache server and uses PHP. The second thing I did was run gobuster to perform discovery of files or directories on the web server:
Gobuster
From gobuster, something interesting came up, namely robots.txt and the /uploads/ folder. Visiting the robots file, I found two paths:
Robots
Namely, /instructions.txt and the /uploads folder, which I had already previously found through gobuster. Visiting the /instructions.txt page, I found this:
Instructions
These were actual instructions for the web application. As we can see, the web application only checks that .png is present in the file extension and that the file contains the associated magic number for .png. A magic number is like a header in the binary file that indicates the type of extension the file has. Once I understood this, I made sure I could upload files other than .png by creating a file containing the word PNG (the magic number) and renaming it as exploit.png.php. When I tried to upload it, I got a valid upload, so I immediately understood how to exploit the vulnerability.
🔬 Vulnerability Analysis
Potential Vulnerabilities
Polyglot File
RCE
🎯 Solution Path
Exploitation Steps
Initial setup
To exploit the vulnerability, I created a file exploit.png.php to upload it validly to the server, adding the PNG magic number at the beginning of the file, which the server checks before allowing the upload. Then, I searched for a reverse shell (cmd) on https://www.revshells.com/ and pasted it below the PNG signature I had previously written.
Exploitation
Once this was done, the exploit consisted of uploading the file I created and then visiting the page /uploads/exploit.png.php to execute the code inside it. Through a shell created within the page using PHP’s system function, I was able to achieve RCE (Remote Code Execution) and execute commands on the web server. After that, all that was left was to find the flag:
1
2
ls ..
cat ../MFRDAZLDMUYDG.txt
Since when running ls .., the only unusual file I found was named MFRDAZLDMUYDG.txt, I immediately thought it was the flag. Indeed, by using cat on that file, I found the flag inside.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The exploit exactly follows the steps previously described. It sends a POST request to upload the exploit.png.php file, and then performs a GET request to /uploads/exploit.png.php, passing the parameter cmd=cat MFRDAZLDMUYDG.txt. In the response to the request, I extracted the flag using a regex and printed it.
