Today we’re going to look into one of the challenges from 34C3 Junior CTF called upload.
Let’s take a look at source code.
The most important part is that the shell_exec function will use unzip tool, unpacking the archive that we uploaded. We have to somehow get to the flag, which is located in the main directory - http://18.104.22.168/flag.php. Firstly, we’ll have to get 2 directories higher so ../../ should be essential.
After a while I found out that we can simply compress symlinks, which will allow us to enter a file linked by the content of an archive. Let’s create this file.
Now we’re able to compress it and send to the web service.
After viewing the content of symlink.txt, we are provided with the content of flag.