Level 12 - Level 13
Overview
This time also same form, but clearly mentioned as only images are allowed.
Source Code analysis
Let's take a look at the source code.
Almost the same code, except this time the MIME type/Magic bytes [ To Know More ] of the uploaded file is checked using the exif_imagetype
function to make sure the uploaded file an image.
We can bypass this check by creating a php rev shell with prepended by the magic byte of an jpeg file.
Getting the Password
We can create such a file using simple python script:
Upload the file generated by the above script. Remember to intercept the upload request via burpsuite and modify the hard coded jpg extension to php.
Now let's retrieve the password by viewing the contents of /etc/natas_webpass/natas14
.
Last updated