|
| 1 | +--- |
| 2 | +title: n0s4n1ty 1 |
| 3 | +date: 2025-08-10 |
| 4 | +categories: [Capture The Flags, picoCTF] |
| 5 | +tags: [ctf, picoctf, web exploitation, writeups] |
| 6 | +description: picoCTF n0s4n1ty 1 Challenge |
| 7 | +--- |
| 8 | + |
| 9 | + |
| 10 | +> Challenge description: |
| 11 | +> |
| 12 | +>A developer has added profile picture upload functionality to a website. However, the implementation is flawed, and it presents an opportunity for you. Your mission, should you choose to accept it, is to navigate to the provided web page and locate the file upload area. Your ultimate goal is to find the hidden flag located in the `/root` directory. |
| 13 | +{: .prompt-info } |
| 14 | + |
| 15 | +Alright, lets take a look at this website. Going to the site shows us this: |
| 16 | + |
| 17 | + |
| 18 | + |
| 19 | +Looks like we are able to upload a profile picture to this site. Let's try just uploading a normal picture to try and see where the uploads are stored. |
| 20 | + |
| 21 | +This is what happened when I uploaded the same image that is this blogs favicon: |
| 22 | + |
| 23 | + |
| 24 | + |
| 25 | +Alright, so with this let's try to upload a simple PHP shell to the website. Maybe this will let us get access to the web server. We will be using [this](https://github.com/JohnTroony/php-webshells/blob/master/Collection/Simple-Webshell.php) PHP webshell. |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +Looks like we were able to get access to the machine! Lets check out `/root` now! |
| 30 | + |
| 31 | +Running `ls -lsa /` gives us this: |
| 32 | + |
| 33 | +```terminal |
| 34 | +0 drwx------ 1 root root 22 Mar 6 03:56 root |
| 35 | +``` |
| 36 | + |
| 37 | +Hm, so it looks like we won't be able to access the directory as `www-data` or can we? Let's check out some of `www-data`'s permissions with `sudo` by running `sudo -l`. |
| 38 | + |
| 39 | +```terminal |
| 40 | +Matching Defaults entries for www-data on challenge: |
| 41 | + env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin |
| 42 | +
|
| 43 | +User www-data may run the following commands on challenge: |
| 44 | + (ALL) NOPASSWD: ALL |
| 45 | +``` |
| 46 | + |
| 47 | +This lets us run `sudo` as `www-data` without needing any password! Let's `cat` the `flag.txt` in `/root` now. |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | + |
| 53 | +FLAG: `picoCTF{wh47_c4n_u_d0_wPHP_712a9451}` |
0 commit comments