Look! I wrote a good service for sharing your files with your friends, enjoy)Solution:
1. Access to target and found login page, After login will appear Upload, Files and Share functions.
Upload - Upload file.
Files - List of files upload.
Share - Share file upload to anothers user.
2. Try to upload PHP file, It not complete.
3. Try to upload PNG image file and upload complete.
4. I perform test a share function to share meme.png to another user.
5. Using Burp Suite to intercept request, in parameter filename is have vulnerable to Path Traversal, I can share ../../index.php to another user, and go to another user to read php file.
6. In another user. I perform download index.php to my folder.
Structure of folder: http://share-point.quals.2017.volgactf.ru/files/<username>/<file upload>
7. List of file.
8. But when I access to index.php, It return 500 Internal Server Error, Not work :(
9. I think several minute and try to use .htaccess to process file ending with .png as .php!
AddType application/x-httpd-php .png
10. Upload .htaccess and shell.png, in shell.png contain php code is a simple web shell that use system function.
12. Find a Flag, use command find / -name "*flag*"
13. cat /opt/flag.txt
My Automate Script:
Flag: VolgaCTF{AnoTHer_apPro0Ach_to_file_Upl0Ad_with_PhP}
http://thaitechnews.com
ตอบลบ