A developer has added profile picture upload functionality to a website. However, the implementation is flawed, and it presents an opportunity for you. Your mission, should you choose to accept it, is to navigate to the provided web page and locate the file upload area. Your ultimate goal is to find the hidden flag located in the /root directory.
🎯 Challenge Files & Infrastructure
Provided Files
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
It is a web application that allows us to change the profile picture. By reading the URL, I noticed that it is php. So, I immediately thought, “What if I upload a php file?”. I created a .php file with echo "mH4ck3r0n3"; inside and uploaded it. Once the file was uploaded, I was redirected to a page saying that the file test.php was uploaded to the /uploads directory. So, I visited the page /uploads/test.php:
Test
Realizing that the php was indeed executed. Now that we understand the vulnerability, let’s move on to the next phase.
🔬 Vulnerability Analysis
Potential Vulnerabilities
RCE (Remote Code Execution)
🎯 Solution Path
Exploitation Steps
Initial setup
The first thing I did was immediately write a php reverse shell (https://www.revshells.com/). I copied the reverse shell: php cmd and saved it as php-reverse-shell.php. Let’s move on to the next phase.
Exploitation
Just like with the test file, I uploaded the php-reverse-shell.php file:
Upload Path
And by visiting /uploads/php-reverse-shell.php, I got my reverse shell. Now, as mentioned in the challenge description, we need to read the flag.txt file located in the /root directory. The first thing I did was run ls -la /:
ls -la
This allowed me to see the permissions on the /root directory, and since I discovered that I am the www-data user with whoami, we can see that I don’t have the necessary permissions to access /root. Since I don’t think this is a privilege escalation challenge, I ran sudo -l to check the permissions associated with my user:
sudo -l
And as we can see, no password is required to use the sudo command. So, I tried accessing /root to see its contents by running sudo ls /root:
sudo ls /root
And as we can see, I was able to access it, and inside there’s only the flag.txt file. So, I ran sudo cat /root/flag.txt to read the contents of the file and consequently retrieve the flag.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automated exploit generates the reverse shell, performs the upload, and executes sudo cat /root/flag.txt, then extracts the flag using a regex.
