Abusing file inclusions using Windows 8.3 filename legacy shortcodes - MMACTF Rotten Uploader web 150 writeup
Using the legacy windows 8.3 filename short code, we bypass the filter to download files. (MMACTF 2016 web 150 writeup)
Rotten Uploader was a good challenge but it took a good amount of time to solve it despite being as easy challenge (ofcourse its easy once you know how to do it :P). So here is the challenge description:
Find the secret file.
Hint1 (2016/09/04 16:31)
The files/directories on the DOCUMENT_ROOT are below four.
The number of files in the DOCUMENT_ROOT/uploads is 5. The directory have "index.html".
You don't need scan tools.
We are presented with a site which can be used to download 3 files namely
test.c. The download happens through a file named
The first thing that comes to our mind after seeing the URL is to test for Local File Inclusion (LFI) and indeed it was vulnerable to LFI ! So lets download the source code of
Till now we understood the following points:
uploads/ directory has 5 files in which 4 are known to us. So the 5th file (whose name we don’t know yet) has to be the flag.
2) If we know the filename, we can download it via
download.php. The only possible way to know the filename is to get the
file_list.php which will contain the list of all files.
3) The string
file_list has been blocked by an
stripos() function check which is cannot be bypassed easily (as
stripos() don’t have any known bypasses).
It took a while to understand that the server is running windows. So the question arises, why do they configure the challenge on a windows machine while all others are on linux (Linux is usually prefered for web servers)? Then we came across a legacy windows feature called
Windows 8.3 filename and that lead us to the bypass !
So computing the filename, we can use
file_l~1.php so the file can be download by sending the following request:
download.php?f=../file_l~1.php and this got us the source code of
So now we know the filename in which flag is present and hence we can download it using the LFI:
1) Windows 8.3 filename