Webverselabs Crosswind Challenge File Upload
Scenario :
Crosswind has run since 2019 on member dues and three volunteer mods — no ads, no premium tier, no syncing your heart-rate to a hedge fund. The stack is whatever ran fine on a Linode in 2019: PHP, a single database file, and a profile-picture form the founder wrote in one sitting after a long Saturday gravel ride. The next morning he added a short rejection list for “the obvious stuff people might try to upload,” patted himself on the back, and went out for coffee.
Solution :
First we Visit the web app , try navigating it like a normal user as usual .
The /Feed and /Rides endpoint dont return anything useful , Fuzzing didn’t return any additional endpoints . Let’s create an account and browse the app more , we find /account.php which allows us to upload an image .
Let’s try uploading a webshell and see if we can bypass front end filters .
First Bytes are there to make sure we bypass the MIME Type filters . Now let’s upload this , intercept the request and modify the extension to php to see if it works .
This doesn’t work since php extensions are blocked , this is good as the application uses Black List filtering which is easier to bypass than a whitelist filter . Here is a list of PHP extensions that we can try to see if it bypasses this filter .
1
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt
I will be using php7 , feel free to use any of these extension as long as it allows the execution of php code .
It works , now we just need to find where the uploaded image is stored , luckily for us it is displayed to us by the application :
Now we just visit the /uploads/avatars/7-profile.php7 and we should find our webshell .
The flag is located at /flag.txt .
That’s it for this challenge .