CTFtime.org

Dumb Admin

by Mj0ln1r / Invaders0x1

Tags: fileupload web rce mj0ln1r invaders0x1 

Rating:

# Dumb Admin

Description :

```text
The Admin coded his dashboard by himself. He’s sure to be a pro coder and he’s so satisfied about it. Can you make him rethink that?

Challenge : https://dumbadmin.challs.dantectf.it/
```

The website was a login page. After some failed tries to find crendentials of the source of the website, I tried to use a basic login bypass `SQL injection` payload.

Username : `admin' 1=1 --`
Password : `1234`

This payload was worked fine and I was able to login as admin.

The admin page has a option to upload a image.

![dumb](https://themj0ln1r.github.io/assets/img/post_img/dante23_dubm1.png)

I thought that there might be a `File upload` vulnerability in the website.

First uploaded a jpg of 2 kb and it was rendered in the webpage. When I view the source code, I found a direct url to the image uploaded.

`https://dumbadmin.challs.dantectf.it/f9bbbecb61014db8f0674bf60c27e668/8347dc6bbcfb8d457453656ae33181d7.png`

So, If we upload a php file we can execute in by going to the actual URL.

The `php` file `file.php`

```php

```

What this code will do is, This can execute the commands passed in the `cmd` argument in the URL of the file.php

I tried to upload this on the website, Got an error message.

`The extension '.php' indicate it is not an image!`

So, Tried some extension bypass techniques on the hacktricks webpage. Now uploaded the file as `file.jpg.php`. Again got an error.

`Uploaded file seems to be not a real image!`

Okay, there might be a magic bytes check was done here. So, I edited the magic bytes of the `file.jpg.php` with the **hexed.it** webtool. Inserted the `jpg` header values to the `file.jpg.php`.

```bash
00000000: ffd8 ff3c 3f70 6870 0a09 6563 686f 2073 ....
```

So, as we can see in the above hexdump of the file contains jpg headers.

Lets try to upload this file.

This time everything was fine and the image `file.jpg.php` was not rendered as it is not an image. I moved to the actual URL of the uploaded file as we already founf it in the beginning.

I moved to `https://dumbadmin.challs.dantectf.it/f9bbbecb61014db8f0674bf60c27e668/9180871cb76494741eb99e2181d57e54.jpg.php`

And there were nothing to see, then i passed `ls` in the `cmd` argument from the URL.

Boom, This prints the list of files available on the server.

Now we can move across the file system of the server, I found the flag was at `/flag.txt`.

The URL, `https://dumbadmin.challs.dantectf.it/f9bbbecb61014db8f0674bf60c27e668/9180871cb76494741eb99e2181d57e54.jpg.php?cmd=cat%20/flag.txt` . Prints out the flag for us

> `Flag : DANTE{Y0u_Kn0w_how_t0_bypass_things_in_PhP9Abd7BdCFF}`

# [Original Writeup](https://themj0ln1r.github.io/posts/dantectf23)

Original writeup (https://themj0ln1r.github.io/posts/dantectf23).

Comments