Challenge Overview
A developer has added profile picture upload functionality to a website. However, the implementation is flawed, and it presents an opportunity for you. Your mission, should you choose to accept it, is to navigate to the provided web page and locate the file upload area. Your ultimate goal is to find the hidden flag located in the /root directory.
You can access the web application here!
Solution
This challenge is quite similar to the Trickster challenge from picoCTF 2024 and can follow an actually simpler solution.
This Hack the Box Academy module explains the upload exploit well. It shows that by using this php script you can get a web shell.
You don't need to change anything about the php script you can just straight upload it and you will get this message:
The file phpbash.php has been uploaded Path: uploads/phpbash.php
Once successfully uploaded to the site the file could be reached by going to the file destination within the website.
http://standard-pizzas.picoctf.net:52969/uploads/phpbash.php
This gives the shell. Commands like ls, pwd, cd /, could all be ran now in this web shell. Originally it puts you in the /var/www/html/uploads. From here you can traverse with various commands to search for the flag. Some common places to look is within the html folder, home folder, or root folder. Doing ls /root will give a permission denied error so you can just add sudo and run sudo ls /root from any directory and see flag.txt is in the root directory. From here you can just do sudo cat /root/flag.txt to get the flag.
Flag: picoCTF{wh47_c4n_u_d0_wPHP_5f89...}