Hey you,
If you're curious👀 about web-exploitation
challenges, Trickster is a great example to follow through.🫶
Without saying more, let's get started.
Steps I followed👉
- Carefully read the description We can observe that only PNG images can be processed. As soon as I read that, my mind flew to this TryHackMe challenge 💡
- Launched the instance My guess was good. 😉
Given that only .png files are accepted, I needed to find a way to integrate a reverse shell code into a png file.
I went to Reverse Shell generator and looked for a PHP script. I chose PHP cmd
and copied that into a textpad.
Given that it's in my habit to enumerate hidden directories when I encounter a web-shell challenge, I proceed further with this.
Something interesting is quickly found! 👇
Accessed robots.txt and besides uploads folder, I discovered the instructions.txt file. Driven by curiosity, I accessed that file and discovered the following:
.
All right, so the PHP script must contain the PNG signature in the beginning.
Normally, I would have edited this using HexEdit. But I tried something easier which basically does the same as if I edited that in a hex editor: typed PNG at the beginning of the document. 🤓
I uploaded the file and...waited for the shell to appear. 😹 ❗Important❗the uploaded file has a double extension ➡️ .png.php
Yeah, it didn't go as expected so ⏭️ I tried to access /uploads folder. Too bad, I don't have access.
🎯Then, I thought that I take advantage of local file inclusion, so I completed the path with the name of the uploaded file.
I was welcomed with this👇
Tried various commands, for instance pwd, ls, whoami. Then looked for all the the files which have .txt extension. Who knows, maybe there is a flag.txt 😃
In the end 👇
That's it! Congrats! 👏
What are your thoughts?
Top comments (0)