Last weekend was the Hackfest 2015 in Quebec City. A cybersecurity meeting with multiple conferences concerning different security issues and flaws. Most of those conferences were interesting and showed some very interesting technique and technology. But the thing that was the most interesting to me was the CTF.
A very much network oriented CTF
The CTF was not like other CTF I did. Most challenges were network oriented, and this is not the kind of things I’m really interested in. But I guess it was a good occasion to learn and practice. Which is why I’m going to talk about a specific challenge on which I needed to get a shell through a website, giving me access to the server behind it.
Poping a shell
Here’s how it went. Basically, we had a website with multiple pages. There wasn’t much we could do on those, but there was one specific page where we could upload our resume. This to me rings, here’s my entrance door. Now how to exploit this? The first thing that came into my head was to upload a php file where I would have a simple
shell_exec('ls') to see what could be done. Now the server refused the file since it’s extension was not pdf. Alright, let’s change the extension and see what happens. Uploading the php file with the extension .pdf works. Great. That means I can put anything in the file, as long as it fits the pdf extension.
After a little bit of search, I found out the files were uploaded to /uploads of the website. Now I know where to go to execute the code. But loading my uploaded php/pdf file does not execute the code. It thinks it’s a pdf file, and just tell me the pdf is corrupted. How to fix this? This is the moment where using Burpsuit is usefull. Using Burpsuit, I could change the extension after server validation to .php. That still failed though. But the extension .php4 was not. Changed the extension to that, load the file in /uploads, and BAM! got my shell.
After that, it was just a question of finding the flag. Doing ls showed a file call flag.php. That was it. Doing cat on it, outputed the content of the page, and in html comments was the flag. Success.