// k3ng
  • 👋
  • 2025
    • Cyber Jawara National 2024
      • Whale
      • Grayscale
      • Log4Shell
  • 2024
    • HTB University CTF 2024: Binary Badlands
      • Apolo
      • Freedom
      • Frontier Exposed
      • Wanter Alive
      • Armaxis
    • TSA Cyber Champion 2024
      • 101 - Forensics
      • eavesdropped
      • 101 - Web Exploitation
    • Cyber Jawara International 2024
      • prepare the tools
      • Sleeper
      • P2PWannabe
    • CTF Hology 7.0
      • give me
      • Books Gallery
    • TCP1P CTF 2024
      • doxxed
      • Lost Progress
    • Gemastik 2024 Finals
      • kode-viewer
Powered by GitBook
On this page
  • Challenge Description
  • Flag
  • Analysis
  • Solution
  1. 2024
  2. TSA Cyber Champion 2024

101 - Web Exploitation

Last updated 6 months ago

Challenge Description

Web Hacking 101

Author: Fedra

Flag

TSA{Web_Hacking_101_c7319b0bd96f9d01981bbf52ebb7027f}

Analysis

We are given a website without any source code provided. From the main page, we can see the website has a ping functionality and a file upload functionality. When accessing the file upload page, the website uses a query parameter to include the page, meaning that an LFI could happen here.

After using ../../../../etc/passwd as the value of page, we confirmed an LFI vulnerability.

Solution

Since the file is included, we can get an RCE by uploading a file. With the file upload functionality restricted to only allowing images, we can embed PHP code on the metadata.

After uploading the file and accessing the file from the query parameter, we could run any Unix command from the asdf parameter. When running the ls / command, we found a file called flag_c7319b0bd96f9d01981bbf52ebb7027f.txt.

We just need to cat the file to get the flag.

Query parameter vulnerable to LFI
Accessing the /etc/passwd file from the query parameter
PNG image containing PHP code
Listing the root directory
Outputting the flag