Ezflag Level 1
This was a file upload vulnerability. Looking inside the lighttpd.conf
file, we could see that any .py
files are run with /usr/bin/python3
.
Validation is performed to check for the .py
extension.
However, once validated, a replacement of ./
with an empty string is performed.
Thus, we can bypass the .py
filter by using ./py
.
This allows us to get a reverse shell.
Last updated
Was this helpful?