Hacker101 – TempImage

Posted bybsderekPosted inHacker101 CTFTags:, , , ,

I will be doing TempImage CTF on Hacker101 today, enjoy.

Hints given:

  • File uploads can be hard to pin down
  • What happens to your filename when you see an uploaded file?
  • What if you make a small change to the path?

index

As usual check the source page first. Just mess around with the site to collect as much information as you can.

source

source1

error

So, here we were given the ability to upload only PNG image. And strange string is added before our filename.

high

Let’s try to access the ‘files’ directory.

for

Hmm…So, Let’s look at the hints. The third hints is telling us try to change the path a bit. Let’s capture the traffic and see what can we do.

proxy

Notice this at the end of the traffic. The PNG file gonna be displayed as we saw, and the filename

bef

What is Content-Disposition https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition

What if we make a little change to it, maybe add extra path?

after

flag0

That is our first flag! ๐Ÿ˜‹๐Ÿ˜‹

As we can observer that original file path should be

-> files/0391bdcddadeb18297f5a8c7adc23ab4_wall.PNG

but after making change in Burpsuite

-> files/0391bdcddadeb18297f5a8c7adc23ab4_../wall.PNG

We actually change where the PNG should be saved in to server.

Flag 1: Found

Disclaimer: Once again, I am unable to solve the flag completely on my own. I have read up lots of other people’s write-ups to understand the process of solving. Still I will demonstrate my way of doing. https://github.com/testerting/hacker101-ctf/tree/master/tempimage/flag1

Hints given:

  • It clearly wants one specific format
  • If you can’t bypass that check, what can you do?
  • Read up on PNG chunks

These are the 3 files we need to help us solving Flag 1. ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป

<copy.bat>
copy wall.png/b + command.php new.png

<command.php>
<?php system("ls"); ?>

<wall.png>

In command.php, instead of uploading the webshell as that guy did in his walk-through. I want to do something simple like RCE.

Executing copy.bat, will produce new.png

combine

All good? Let’s upload the PNG into the server and capture the traffic using Burpsuite

high2

Allow me to explain why you need to change the extension of the ‘new.png’ to ‘new.php’. As the hint given, this upload only allows PNG to be uploaded. But changing the extension does not affected us to get Flag0. It means that server does not check on file extension instead they check on the file header to determine whether the file is PNG or not. The second reason is that if we don’t put the PHP extension, our malicious command in PHP tag will not be executed.

Click the redirection button will bring us into the next page.

ls

As we can see the ‘ls’ command has successfully executed. Now, we just need to change the command to help us find the flag.

Change the command in Burpsuite

<?php system("cat index.php | grep FLAG"); ?>

change

flag1

Here you go, that is your Flag 1. ๐Ÿšฉ๐Ÿšฉ

There are other ways to solve this as well, like changing the PNG chunks and input the commands or something. I am unable to do that, cause I don’t really understand PNG chunks. ๐Ÿ˜‚๐Ÿ˜‚๐Ÿ˜‚๐Ÿ˜‚

Thanks for reading, see you in theย  next post. (โ˜ž๏พŸใƒฎ๏พŸ)โ˜ž โ˜œ(๏พŸใƒฎ๏พŸโ˜œ)

Published by bsderek

We are just 2 new authors doing writeup on related Cybersecurity topics to educate ourselves. We encourage you to leave a comment in areas where we can improve in terms of skills/knowledge. If we are incorrect in our writeup , please informed us and send us article to read to better educate ourselves. Feel free to leave a comment behind. Hope you have a nice day!! And donโ€™t forget to hack your life away!!! Peace (00)

One thought on “Hacker101 – TempImage

Leave a comment

Design a site like this with WordPress.com
Get started