A new level attacks from the long grass! In2security uses spoilers.... it's super effective!

Click 'read more' to see the solution that we found for the Stripe CTF Level 2.

Level 2 presents us with a social network. We have an account already setup for us and are presented with our 'profile page' which is a very simple image upload form.

Our aim for this page is to read the file

password.txt

which is stored in the root directory of the webapp.

So how can we read this file?

A quick look over the source code shows some basic PHP, where are uploaded file is moved from a temp directory into the "uploads/" directory, has permissions set so that the file can be read (0644 permissions are read/write for owner, read for group, read for others) and then finally a session variable is set to the filename so that the image is loaded on the page.

This all looks fairly straightforward, filenames are sanitised so that they cannot traverse directories using basename() and the standard php mechanism for moving uploaded files move_uploaded_file() is also in use.

What is not being done however, is any checking that the file being uploaded is an image. Or infact, is any type of file at all! So how can we exploit this?

As we know there is a PHP interpreter available, as existing PHP code is being used, we can upload a php file. To test this, create a file with the following contents :

name it 'whatevernameyoulike.php' and upload it using the image upload utility. Then browse to uploads/whatevernameyoulike.php and you should see the following printed to the screen:

This is a test

We can use this weakness to run arbitrary PHP code then, and if we can run PHP in the context of the webserver there is a pretty good chance that we can read a file in the webservers path. With some PHP like :

the password to level 3 will be printed out.

As always, if you found another way to complete this level let us know in the comments!