Webverselabs Calliope Gallery Challenge File Upload
Scenario :
Calliope was founded in 2021 by two former MFA students who couldn’t get a toehold on the New York gallery circuit and decided to build their own. Three years on, the roster is about eighty emerging painters, illustrators and printmakers across North America, with bricks-and- mortar viewing rooms in Tribeca and Highland Park. Last spring a contractor wired in a thumbnail-resizer to keep the portfolio dirs fast on mobile and left a small config tweak in the upload tree to make the resizer work; the team has long since forgotten the integration is in there at all.
Solution :
We first visit the webapp like a normal user to see different endpoints , tried Fuzzing for files and directories but that didn’t return anything useful .
We created an account , and we see that we are able to upload Images to the web app , as long as it is JPEG .
Now let’s try to upload an image then change it to a php file to see if we can bypass the front end valdiation .
Now on Burp , we can modify the file type to see if this bypasses anything .
This didn’t work which means there is probably some sort of filtering on the server side as well , now what i usually do is add magic Bytes at the beguinning of the file which tells the server that it is an actual JPEG image from the first Bytes .
For JPG the magic byte will be FF D8 FF E0 in HEX .
1
2
3
4
5
6
FF D8 FF E0 : hex representation .
==> To interpret this as a binary :
\xff\xd8\xff\xe0 : (\x prefix tells the shell "this is hex, interpret as binary")
For example if we add our payload to a file and name it shell2.jpg , the server will know it’s not an image by checking the first few bytes :
Now if we add the Magic bytes at the beguinning :
1
2
3
4
5
echo -e '\xff\xd8\xff\xe0aaaaa' > shell2.jpg (make sure you add the -e )
echo '\xff' ==> sees \xff as 4 characters: \ x f f
echo -e '\xff' ==> sees \xff and thinks "oh \x means HEX" → writes the actual byte FF
Now let’s try to upload this one to see :
Perfect it worked , now let’s try to write a PHP one liner to see if we can execute PHP code like this :
Now we upload the Shell.jpg without any issues , But to trigger the Web Shell we need to first find where the server stores it since this is all we get after uploading it :
Now if we check our Burp History , After we see the POST request made to the server (when we hit Submit) , we find this GET request .
Perfect now let’s try and visit the Web Shell we just downloaded .
The flag is located in /flag.txt .
Perfect Now we can use this to get a Reverse Shell , escalate to root , pivot to the internal network … , but that’s beyond the scope for this challenge .