101 - Web Exploitation

Challenge Description

Web Hacking 101

Author: Fedra

Flag

TSA{Web_Hacking_101_c7319b0bd96f9d01981bbf52ebb7027f}

Analysis

We are given a website without any source code provided. From the main page, we can see the website has a ping functionality and a file upload functionality. When accessing the file upload page, the website uses a query parameter to include the page, meaning that an LFI could happen here.

Query parameter vulnerable to LFI

After using ../../../../etc/passwd as the value of page, we confirmed an LFI vulnerability.

Accessing the /etc/passwd file from the query parameter

Solution

Since the file is included, we can get an RCE by uploading a file. With the file upload functionality restricted to only allowing images, we can embed PHP code on the metadata.

PNG image containing PHP code

After uploading the file and accessing the file from the query parameter, we could run any Unix command from the asdf parameter. When running the ls / command, we found a file called flag_c7319b0bd96f9d01981bbf52ebb7027f.txt.

Listing the root directory

We just need to cat the file to get the flag.

Outputting the flag

Last updated