Level 12 - Level 13
Last updated
Last updated
This time also same form, but clearly mentioned as only images are allowed.
Let's take a look at the source code.
Almost the same code, except this time the MIME type/Magic bytes [ To Know More ] of the uploaded file is checked using the exif_imagetype
function to make sure the uploaded file an image.
We can bypass this check by creating a php rev shell with prepended by the magic byte of an jpeg file.
We can create such a file using simple python script:
Upload the file generated by the above script. Remember to intercept the upload request via burpsuite and modify the hard coded jpg extension to php.
Now let's retrieve the password by viewing the contents of /etc/natas_webpass/natas14
.