WRITEUP – DEFCAMP2015 – The hylian dude – Web 200

In this challenge we are given a file hosting service. We can upload a zipped file, and the application provides the extracted files for download.

We found a comment in the HTML source, that shell_execute has been used. We tried to upload a zip file, with a symbolic link to /var/www/html/index.php, and we were able to download the source code. The next idea has been, to download /etc/passwd for further information.

ln -s /etc/passwd passwd
zip --symlinks -r passwd.zip passwd

There it is:

...
dctf:x:65533:65533:DCTF,,,:/nonexistent:/DCTF{28fad39245bc57404263540e94f417d8}