หน้าเว็บ

วันอาทิตย์ที่ 26 มีนาคม พ.ศ. 2560

VolgaCTF 2017 Quals: Share Point (Web) Write-up

Descriptions:
Look! I wrote a good service for sharing your files with your friends, enjoy)
 Solution:

1. Access to target and found login page, After login will appear Upload, Files and Share functions.

Upload - Upload file.
Files - List of files upload.
Share - Share file upload to anothers user.


2. Try to upload PHP file, It not complete.


3. Try to upload PNG image file and upload complete.


4. I perform test a share function to share meme.png to another user.


5. Using Burp Suite to intercept request, in parameter filename is have vulnerable to Path Traversal, I can share ../../index.php to another user, and go to another user to read php file.


6. In another user. I perform download index.php to my folder.
Structure of folder: http://share-point.quals.2017.volgactf.ru/files/<username>/<file upload>



7. List of file.


8. But when I access to index.php, It return 500 Internal Server Error, Not work :(
9. I think several minute and try to use .htaccess to process file ending with .png as .php!

AddType application/x-httpd-php .png

10. Upload .htaccess and shell.png, in shell.png contain php code is a simple web shell that use system function.


11. Access to shell.png in http://share-point.quals.2017.volgactf.ru/files/<username>/shell.png?cmd=<command>



12. Find a Flag, use command find / -name "*flag*"


13. cat /opt/flag.txt


My Automate Script:




Flag: VolgaCTF{AnoTHer_apPro0Ach_to_file_Upl0Ad_with_PhP}