Trickster

Description

Solution

1. Step 1Understand the vulnerability
   This File Upload Exploitation guide explains the upload exploit well. The file upload tries to make sure that the file is a PNG by looking at the magic bytes and file extension. However, the validation is weak:

   • It checks for PNG magic bytes at the start of the file
   • It checks that the filename contains "png" anywhere in it
   Learn more

   File upload vulnerabilities occur when a server accepts user-supplied files without properly validating their content or handling them safely. They are one of the most impactful web vulnerabilities because a successful upload can lead directly to remote code execution (RCE) - the attacker runs arbitrary commands on the server.

   This challenge demonstrates two common but flawed validation approaches used together:

   • Magic byte check - reading the first bytes of the file to confirm it "looks like" a PNG. An attacker can prepend valid PNG magic bytes (89 50 4E 47 0D 0A 1A 0A) to any payload.
   • Extension substring check - verifying "png" appears somewhere in the filename. The substring "png" in shell.png.php satisfies this check while the actual executing extension is .php.

   Proper validation requires an allowlist of safe extensions, server-side MIME detection independent of the filename, and storing uploads outside the web root so they cannot be directly executed.

2. Step 2Download the PHP web shell
   Download the phpbash.php script (or any simple PHP shell). This will be used to gain command execution on the server.
   Learn more

   A web shell is a script uploaded to a web server that provides a browser-based interface for executing operating system commands. PHP web shells are common because PHP is the most widely deployed server-side scripting language. Even a minimal one-liner like <?php system($_GET['cmd']); ?> gives full command execution.

   phpbash is a more polished web shell that renders a terminal-like interface in the browser, making it easier to navigate the file system interactively. It is widely used in CTF challenges because it is easy to use and publicly available.

   In real penetration tests, web shells are uploaded during the exploitation phase and are considered a critical finding - they provide persistent access and full control over the web server process. Detection methods include file integrity monitoring, web application firewalls (WAFs), and anomaly detection on uploaded file content.

3. Step 3Convert the shell to hex
   Use CyberChef's "To Hex" recipe to convert the PHP script to hexadecimal format.
   Learn more

   Converting to hex is an intermediate step needed to manually prepend the PNG magic bytes to the PHP file content in the next step. Working in hex lets you precisely control the byte sequence at the start of the file without worrying about encoding issues from text editors or copy-paste tools that might alter binary data.

   CyberChef(the GCHQ Cyber Swiss Army Knife) is a browser-based tool for encoding, decoding, and transforming data. Its recipe-based pipeline lets you chain operations visually - you can "To Hex" the file, prepend the magic bytes as a hex string, then "From Hex" to download the final binary in a single workflow.

   This hex-manipulation workflow is broadly applicable: the same technique is used to bypass upload filters in bug bounty hunting, construct custom file format exploits, and craft test cases for fuzzing parsers.

4. Step 4Prepend PNG magic bytes
   Add the PNG file signature (found here) to the beginning of the hex data. This will trick the file type validation into thinking it's a valid PNG image.

   89 50 4E 47 0D 0A 1A 0A

   Copied!
   Learn more

   Magic bytes (also called file signatures) are the first few bytes of a file that identify its format. The PNG signature is the 8-byte sequence 89 50 4E 47 0D 0A 1A 0A. The bytes 50 4E 47 spell "PNG" in ASCII; the others are control characters chosen to detect common transmission corruptions (e.g., CRLF conversion, high-bit stripping).

   File type detection libraries (libmagic, which powers the file command) read these bytes to identify formats. A validator that only checks magic bytes can be trivially fooled: the bytes are at a fixed offset, so any attacker can prepend them to any payload.

   • JPEG: FF D8 FF
   • PDF: 25 50 44 46 (%PDF)
   • ZIP/APK/JAR/DOCX: 50 4B 03 04 (PK)
   • ELF (Linux executable): 7F 45 4C 46
5. Step 5Convert back to binary
   Use CyberChef's "From Hex" recipe to convert the modified hex back to binary and download the file.
   Learn more

   Converting back from hex to binary produces the actual file that will be uploaded. The resulting bytes start with the PNG signature (making magic-byte validators happy) followed immediately by valid PHP code (making the PHP interpreter happy when the server executes the file).

   This two-format hybrid is a simple polyglot: a file that simultaneously satisfies two format parsers. The PNG parser reads the signature, finds corrupt data, and fails gracefully - it just won't render as a valid image. The PHP parser ignores the leading PNG bytes (treating them as binary output before the first <?php tag) and executes the script.

   CyberChef's "Download output" button saves the binary to your file system with the correct raw bytes, avoiding any character encoding issues that could corrupt the payload.

6. Step 6Upload with double extension
   Upload the modified file with a name like filename.png.php. The server only checks that 'png' appears somewhere in the name; it doesn't have to be at the end. This allows us to use a double extension which passes the validation but executes as PHP.
   Learn more

   Double extension attacks exploit the way web servers determine which handler to use for a file. Apache with a misconfigured mod_mime may parse multiple extensions left-to-right and use the last recognized one - so shell.png.phpgets handed to the PHP interpreter. Even when the server uses the rightmost extension correctly, the substring check in the upload validator only looks for "png" anywhere in the string.

   Related bypass techniques include:

   • shell.php%00.png - null byte injection terminates the filename string in some older PHP versions, causing the .png to be ignored.
   • shell.pHp - case-variation bypass on case-insensitive file systems.
   • shell.php7 or shell.phtml - alternative PHP extensions that may be allowed but still execute.
7. Step 7Access the web shell
   Once successfully uploaded, the file can be accessed at the uploads directory. Navigate to this URL in your browser to access the web shell interface.

   http://atlas.picoctf.net:60322/uploads/filename.png.php

   Copied!
   Learn more

   The uploads directory being directly accessible under the web root is the critical mistake that makes this attack work. If uploaded files were stored outside the web root (e.g., /var/uploads/ instead of /var/www/html/uploads/), the server could serve them as static files with a forced content type but the PHP interpreter would never execute them.

   When you navigate to the uploaded file's URL, Apache recognizes the .php extension and passes the file to mod_php for execution. The PHP engine runs your shell code and returns its output as the HTTP response body - giving you a fully interactive command execution environment in the browser.

   Mitigations in a secure upload implementation: store files outside the web root, randomize filenames, set Content-Disposition: attachment headers to force downloads, and configure the upload directory with php_flag engine off in .htaccess to prevent PHP execution even if a file slips through.

8. Step 8Explore the file system
   The shell starts in /var/www/html/uploads. Check your current directory and list the parent directory to find interesting files.

   pwd

   Copied!

   ls ../

   Copied!
   Learn more

   After gaining shell access, the first step is always reconnaissance: where are you, what is around you, and what can you access? pwd (print working directory) and ls are the foundational navigation commands.

   Web application files are typically served from /var/www/html/ on Debian/Ubuntu-based systems. Configuration files, database credentials, and other sensitive data are often stored one level up from the web root or in sibling directories. Listing ../ quickly reveals the broader directory structure.

   In real penetration testing, post-exploitation enumeration would continue with commands like id (who am I?), uname -a (what OS/kernel?), cat /etc/passwd (what users exist?), and find / -perm -4000 2>/dev/null (what SUID binaries can I exploit for privilege escalation?).

9. Step 9Read the flag file
   You'll find a file called MFRDAZLDMUYDG.txt in /var/www/html/. Read it to get the flag.

   cat ../MFRDAZLDMUYDG.txt

   Copied!
   Learn more

   The randomly named flag file (MFRDAZLDMUYDG.txt) simulates a real-world scenario where sensitive data has an unpredictable filename - you wouldn't be able to guess it without either directory traversal or shell access. This reinforces why achieving code execution is so significant: you can now enumerate the entire file system rather than guessing paths.

   cat (concatenate) outputs file contents to stdout. The ../ path navigates one directory up from the current working directory. Together, cat ../MFRDAZLDMUYDG.txt reads the flag file from the parent directory.

   In real incident response, finding unexpected files in /var/www/html/ - especially with suspicious names or recent modification timestamps - is a strong indicator of compromise. File integrity monitoring (FIM) tools like Tripwire or AIDE detect unauthorized additions to web directories.

Flag

picoCTF{c3rt!fi3d_Xp3rt_tr1ckst3r_ab0e...}

Once the shell is uploaded, the flag text file is one directory up from the uploads folder.