picoCTF Solutions
PathPart of the Web Exploitation path · Step 5 of 5: Server-Side Injection
picoCTF 2025Web ExploitationEasy

n0s4n1ty 1

Published: April 2, 2025

Description

The profile-picture upload endpoint accepts any file, drops it in `/uploads`, and serves it back. Upload a PHP web shell, browse to it, and use sudo to read /root/flag.txt.

Setup

Visit upload form

Download a PHP web shell such as phpbash.php.

Upload it via the avatar form and note the returned path (e.g., uploads/phpbash.php).

curl -O https://raw.githubusercontent.com/Arrexel/phpbash/master/phpbash.php
sudo ls /root
sudo cat /root/flag.txt

Solution

  1. Step 1Gain a shell
    After uploading phpbash.php, browse to `http://host/uploads/phpbash.php` to get a command prompt. You land inside /var/www/html/uploads.
    Learn more

    Unrestricted file upload is one of the most critical web vulnerabilities (OWASP Top 10 A04). When a server accepts arbitrary files without validating their content type or extension, an attacker can upload executable scripts. On a PHP server, uploading a .php file to a web-accessible directory and visiting its URL causes Apache or Nginx to pass it to the PHP interpreter, giving the attacker a web shell.

    phpbash is a popular open-source web shell that provides a terminal-like interface in the browser. Once served, it executes system commands as the web server's user (typically www-data). Proper mitigations include validating file content with MIME-type inspection (not just extension), storing uploads outside the web root, serving them through a dedicated file-serving endpoint that strips executable permissions, and using a CDN or object storage service (S3, GCS) rather than the same server.

    This vulnerability class has enabled some of the most impactful breaches in history. Bypasses exist for naive extension blacklists: using .php5, .phtml, .PhP (case variation), or embedding a null byte in some older systems. Content-type whitelisting at the HTTP header level is also bypassable because the client sends that header and can lie about it.

  2. Step 2Escalate with sudo
    Use standard Linux commands (`cd /`, `ls`, etc.). The web user has sudo without a password, so `sudo ls /root` reveals flag.txt and `sudo cat /root/flag.txt` prints the flag.
    Learn more

    Passwordless sudo (NOPASSWD) is a privilege escalation shortcut that grants a user the ability to run commands as root without entering a password. It is configured in /etc/sudoers with lines like www-data ALL=(ALL) NOPASSWD: ALL. While useful for automation, granting unrestricted NOPASSWD to a web process is catastrophically insecure.

    In a real penetration test, post-exploitation privilege escalation typically involves checking sudo -l to list allowed commands, looking for SUID binaries (find / -perm -4000), searching for writable cron jobs or services, and reviewing /etc/sudoers and /etc/sudoers.d/. The combination of web shell plus NOPASSWD sudo is one of the fastest paths from unauthenticated access to full root compromise.

    The principle of least privilege dictates that web servers should run as a dedicated low-privilege user with no sudo rights, no write access outside their document root, and no ability to read system files. Container-based deployments add another layer of isolation - even if an attacker gains a shell inside a container, they face additional barriers before reaching the host.

Flag

picoCTF{wh47_c4n_u_d0_wPHP_5f89...}

File uploads should validate type and prevent arbitrary execution paths.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Useful tools for Web Exploitation

Related reading

What to try next