<-- home

Securinets Prequals 2019 / Unbreakable Uploader

Hello folks , this time we played Securinets CTF Quals 2019 for 24 hours

I will try to explain the latest Web Unbreakable Uploader challenge (2 solves)

Its amazing task where you need to chain multi bugs to get RCE

OK lets start

We must exploit the unknown vulnerability (for the moment), access this database of challenges and find the hidden FLAG :D

Not bad at all guys, challenge accepted!

So as far as we can do :

  1-Upload any jpeg/png file
  2-Deny / Allow access to our uploads folder (every user has his own folder : https://web3.ctfsecurinets.com//md5($_SERVER['REMOTE_ADDR'])/md5(random_string).extension )

Example to deny access to our folder files

We just can input “all” or “” and set Action to deny then ADD

We are trying to access our uploaded image, we can confirm that the Deny action is working properly

First, when we look at this task and read the name of the challenge, we say it is a basic upload bypass.

After trying for more than 1h to bypass this upload , try normal stuff to break the upload check and upload php file or inject php in png IDAT chunks and other tricky way but we failed :(

Admin this moment be like

Ok here we start to take things more serious !

Lets begin again

We have deny / allow process , what it can be ?

1-Nginx module
3-or maybe something else!

So we said why not play with the configuration itself, if we could inject another configuration line on these files, we might be able to bypass upload.

Exp : 
AddType application/x-httpd-php .png
AddHandler application/x-httpd-php .png
the AddType in an .htaccess file can tell the server to run png extension as PHP

So we need to make CRLF injection to create new line , what we want to do :

allow from OUR_INPUT <-- inject input that create new line in config file

So basically if we can injection new lines we are done here :D

to inject this AddType application/x-httpd-php .png AddHandler application/x-httpd-php .png

To be this one

allow from
AddType application/x-httpd-php .png
AddHandler application/x-httpd-php .png

we should encode our input and do CRLF injection using %0d%0a as simple way

We get this payload as input :

%0d%0a: CRLF

Inject php code inside png file and try to upload it .

Lets check before / after

This one before inject our payload :

And this after inject :

Ok here we are done , next please :D

Lets do some RCE Stuff

cat ../../../.env | less

# Configure your db driver and server_version in config/packages/doctrine.yaml

Trying to connect to database “Connection error to database” , it was fake database name “symfony_task_3”

Admin again :D

Lets just dump user privileges database XD

Find database name : big_database

So lets find flag and win :)


$link = mysqli_connect("localhost", "symfony_admin", "Securinets_dB_P455W0Rd_369", "big_database");
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
$r = mysqli_query($link,"SELECT * FROM user_details WHERE username like '%ecurinets%' or first_name like '%ecurinets%' or last_name like '%ecurinets%' or gender like '%ecurinets%' or password like '%ecurinets%'");
echo mysqli_error($link);

And we are done FLAG : Securinets{T00_MuCh_W0rk}

Thank you for reading this write up , well done for my team @DefConUA 1st place with 2 remaining tasks :) And Thanks to the creator’s team for this CTF, especially the Emperor, for this amazing task :)