In my approach i start with registering a user
Username: ctf
passwd: <someting>
First Command i ran:
sudo gobuster dir -u http://ctf.securityboat.net/ -w /usr/share/dirb/wordlists/common.txt -t 100
/admin standout for me
On visiting http://ctf.securityboat.net/admin/addproduct.html
I see something unusual
/addproduct.html get loaded first then it redirect to home page.
I turn on the burp, browsing http://ctf.securityboat.net/admin/addproduct.html
while proxy on i see this:
I fill the form and click ADD
After some forwards in burp i got the request :
Send it to the repeater, added .php at the end of the filename
And a php cmd shell at end of the jpg file:
In response its says Product Added
I browsed the website, on vouchers section i can see my product which i added:
I right clicked and choose ( open image in new tab)
I entered the command and hit enter:
On visiting the source code i know i got RCE:
I transfer the request to the burp repeater and ran a find command to find the flag
Cat the file:
Thank you so much for reading i hope i win