IP: 172.25.200.200

Port: 9028

Want to run this Docker container locally?

 docker run -d -p 9028:80 --restart always --name Flag-red51 joshbeck2024/ctf-file-upload-bypass-content-type-flag-red51

Walk through:

The source code for the file upload portal is provided. We have a list of blacklisted file extensions that appear to make any type of RCE problematic.

The concept:

• We can try to upload an .htaccess file.
• An .htaccess file is a set of instructions for the web server (specifically Apache). It tells the server how to handle files before sending them to a user.
• When it comes to file extensions, the server typically looks at the end of the filename (like .jpg or .php) to decide what to do. .htaccess allows you to override these default rules.
• We will define the .random extension and tell the server to treat it as PHP.

On your Kali machine, create a file called .htaccess and insert the following.

AddType application/x-httpd-php .random

Upload this to the webserver. You won’t see it in uploads, but it’s there!

Now we need some PHP reverse shell code. I like the pentestmonkey PHP reverse shell myself! (Don’t forget to replace your target IP in the command below. The target IP is the IP Address of your Kali Linux Attacker Machine.)