To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./
Step 1 - Access the application:
Step 2 - Try to add a file in the input field:
If we try to insert a file with the naming test; we got blocked by the application
Step 3 - Change to POST method:
The application is using a GET method to insert the file, change is to POST:
And the file is successully uploaded:
Step 3 - Get the flag:
Now that we can bypass the command injection, lets insert the filename file; cp /flag.txt ./
Click on flag.txt
And we are done!
Last updated 8 months ago
