badimg
***  
web  
cyberedu

Web apps are everywhere, so are the bugs.
Resources used to solve this ctf:
https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html

https://github.com/fakhrizulkifli/Defeating-PHP-GD-imagecreatefromjpeg?tab=readme-ov-file

https://github.com/dlegs/php-jpeg-injector  -- not so much


The website:

Login page:

Nothing to see here. I tried a SQL injection but no payload worked. I registered a new account and used it to log in.


Home page:


-Just some random information

Dashboard page: doesn't work

Profile page:
This is where the vulnerability is located. The vulnerability is unrelated to changing the credentials, but as the CTF's name suggests -=badimg=-, it's related to the uploaded profile picture.

I had some unsuccessful attempts while trying to:
-upload some plain PHP code (test.php)
-upload random text with .jpg extension
-upload some png
-upload a picture which hadn't enough data inside

The URL looked like this
http://34.89.210.219:31321/index.php?page=
It had LFI, but I didn't find anything useful


I inspected the image and saw that it's located in /profiles folder
Then I tried to access it using the LFI found earlier
http://34.89.210.219:31321/index.php?page=profiles/63b00d3fdf601e9e4144.jpg
There I saw that the image is compressed using gd-jpeg v1.0

Any manual inserting of data failed, so I searched on the internet for any known vulnerabilities.
I found this website in Spanish(https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html) which, if translated, explains the process pretty well.


At first, I tried to use the tool presented there, but I could only inject phpinfo() while using it. Almost any other payload I tried was deleted after uploading the picture.

I thought that phpinfo() wouldn't help at all, but there I saw that there are some disabled commands:



Knowing this saved me some time. I searched on hacktricks if there was any way to bypass that and the perfect thing for this challenge was the backtick character `.
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass

Another thing I observed in phpinfo() was that the short form is allowed, so my input looked like this:
<?=`command`; >
I tried a few more times using the gd-jpeg.py tool provided in the resource but it didn't seem to insert the data properly.

I checked this link once more https://github.com/fakhrizulkifli/Defeating-PHP-GD-imagecreatefromjpeg and opened the image in https://hexed.it/

I manually inserted the bytes after the scan header and had some output.
The first command I inserted was ls


and it worked :D

After I tried some more commands I figured out that my payload should be as small as possible. If it's too big then it's completely removed after passing it through gd-jpeg.

I checked the files in the / and there was the flag file
I got the flag using cat /f*





(i1i2i3i4i5 that appear in the hex editor and in the output(at the end of the flag) were my attempts to see how much space I have left, as I couldn't use a long command)

DCTF{18efb91fa4b58c3f7af92bc86811999bb5acb29320ee5cda4a8bc6f6148d122c}