picoCTF Solutions
picoCTF 2024Web ExploitationMedium

Trickster

Published: April 3, 2024Updated: December 9, 2025

Description

I found a web app that can help process images: PNG images only!

Setup

Web shell upload

Connect to the instance to access the PNG processing app link.

Solution

  1. Step 1Understand the vulnerability
    This File Upload Exploitation guide explains the upload exploit well. The file upload tries to make sure that the file is a PNG by looking at the magic bytes and file extension. However, the validation is weak:
    • It checks for PNG magic bytes at the start of the file
    • It checks that the filename contains "png" anywhere in it
  2. Step 2Download the PHP web shell
    Download the phpbash.php script (or any simple PHP shell). This will be used to gain command execution on the server.
  3. Step 3Convert the shell to hex
    Use CyberChef's "To Hex" recipe to convert the PHP script to hexadecimal format.
  4. Step 4Prepend PNG magic bytes
    Add the PNG file signature (found here) to the beginning of the hex data. This will trick the file type validation into thinking it's a valid PNG image.
    89 50 4E 47 0D 0A 1A 0A
  5. Step 5Convert back to binary
    Use CyberChef's "From Hex" recipe to convert the modified hex back to binary and download the file.
  6. Step 6Upload with double extension
    Upload the modified file with a name like filename.png.php. The server only checks that 'png' appears somewhere in the name; it doesn't have to be at the end. This allows us to use a double extension which passes the validation but executes as PHP.
  7. Step 7Access the web shell
    Once successfully uploaded, the file can be accessed at the uploads directory. Navigate to this URL in your browser to access the web shell interface.
    http://atlas.picoctf.net:60322/uploads/filename.png.php
  8. Step 8Explore the file system
    The shell starts in /var/www/html/uploads. Check your current directory and list the parent directory to find interesting files.
    pwd
    ls ../
  9. Step 9Read the flag file
    You'll find a file called MFRDAZLDMUYDG.txt in /var/www/html/. Read it to get the flag.
    cat ../MFRDAZLDMUYDG.txt

Flag

picoCTF{c3rt!fi3d_Xp3rt_tr1ckst3r_ab0e...}

Once the shell is uploaded, the flag text file is one directory up from the uploads folder.