DEV Community

Cover image for Trickster- PicoCTF 2024
a.infosecflavour
a.infosecflavour

Posted on

Trickster- PicoCTF 2024

Hey you,
If you're curious👀 about web-exploitation
challenges, Trickster is a great example to follow through.🫶
Without saying more, let's get started.
Steps I followed👉

  1. Carefully read the description We can observe that only PNG images can be processed. As soon as I read that, my mind flew to this TryHackMe challenge 💡
  2. Launched the instance My guess was good. 😉

Given that only .png files are accepted, I needed to find a way to integrate a reverse shell code into a png file.

I went to Reverse Shell generator and looked for a PHP script. I chose PHP cmd
code and copied that into a textpad.

Given that it's in my habit to enumerate hidden directories when I encounter a web-shell challenge, I proceed further with this.
Something interesting is quickly found! 👇

Enumerate hidden directories

Accessed robots.txt and besides uploads folder, I discovered the instructions.txt file. Driven by curiosity, I accessed that file and discovered the following:

instructions.
All right, so the PHP script must contain the PNG signature in the beginning.

Normally, I would have edited this using HexEdit. But I tried something easier which basically does the same as if I edited that in a hex editor: typed PNG at the beginning of the document. 🤓

Magic bytes

I uploaded the file and...waited for the shell to appear. 😹 ❗Important❗the uploaded file has a double extension ➡️ .png.php

Yeah, it didn't go as expected so ⏭️ I tried to access /uploads folder. Too bad, I don't have access.

🎯Then, I thought that I take advantage of local file inclusion, so I completed the path with the name of the uploaded file.

I was welcomed with this👇

cmd line

Tried various commands, for instance pwd, ls, whoami. Then looked for all the the files which have .txt extension. Who knows, maybe there is a flag.txt 😃

pwd

txt files

concatenate

In the end 👇
flag

That's it! Congrats! 👏

What are your thoughts?

Top comments (0)