You are now on Level 2, the Social Network. Excellent work so far! Social Networks are all the rage these days, so we decided to build one for CTF. Please fill out your profile at https://level02-2.stripe-ctf.com/user-qngxpdlbyg. You may even be able to find the password for Level 3 by doing so.
The code for the Social Network can be obtained from git clone https://level02-2.stripe-ctf.com/user-qngxpdlbyg/level02-code, and is also included below.
This was fun, you have to change your mind set to a different attack from before. Key lines were lines 9-16:
$dest_dir = "uploads/"; $dest = $dest_dir . basename($_FILES["dispic"]["name"]); $src = $_FILES["dispic"]["tmp_name"]; if (move_uploaded_file($src, $dest)) { $_SESSION["dispic_url"] = $dest; chmod($dest, 0644); echo "<p>Successfully uploaded your display picture.</p>"; }
The key here lied in the fact there was no checking of what kind of file you uploaded. As such, anyone could say, upload C99 or some other PHP shell. Thus, you were able to access the text file.