Why2025 Planner

Writeup for WHY2025 Planner (Web) - WHY CTF (2025) 💜

Description

We at WHY2025 are a well oiled machine, this is because we have this awesome planningtool we are developing, please check it out and add yourself to it!

Solution

We register/login and find a planning tool. We can add bullet points, but there doesn't appear to be any HTMLi.

More importantly, we can upload a file. There is no filter on the file extension or content-type, but our file is deleted immediately after the scan. According to the JS source, the site is expecting JSON content.

document.getElementById("uploadForm").addEventListener("submit", async function (e) {
    e.preventDefault();
    const formData = new FormData(this);
    const statusDiv = document.getElementById("uploadStatus");

    statusDiv.textContent = "Uploading and scanning file...";
    statusDiv.className = "";

    const response = await fetch("upload.php", {
        method: "POST",
        body: formData,
    });

    const text = await response.text();

    // Match multiple JSON objects: greedy split on outermost }
    const messages = text.match(/{[^}]+}/g);

    if (!messages) {
        statusDiv.textContent = "Invalid response.";
        statusDiv.className = "error";
        return;
    }

    statusDiv.innerHTML = ""; // clear previous output

    messages.forEach((rawJson) => {
        try {
            const data = JSON.parse(rawJson);
            const msg = document.createElement("div");
            msg.textContent = data.message;
            msg.className = data.status === "fail" || data.status === "deleted" ? "error" : "success";
            statusDiv.appendChild(msg);
        } catch (err) {
            const errDiv = document.createElement("div");
            errDiv.textContent = "Invalid JSON: " + rawJson;
            errDiv.className = "error";
            statusDiv.appendChild(errDiv);
        }
    });
});

However, even when sending a JSON file, the server says the file was deleted after scan (wrong type). I thought maybe we could fuzz file extensions/content-types, but then I remembered a Portswigger lab I solved in the past.

It was a race condition where users could upload files, but the file would be deleted quickly by the AV/firewall. If an attacker sent the file upload request at the same time as [several] requests to access the file, one of them might slip through before the file is deleted. For this, we need to know the location/filename. Luckily for us, this is already provided in the error feedback.

Race Condition

To test the hypothesis, I created a group of tabs in burp repeater. The first uploaded a valid JSON file and the next ~10 would request the file. Sending the group of requests using the last-byte sync (aka single packet attack) would result in some of the responses showing the contents of the JSON file, while others showed a 404 not found error.

I switched the file type to a basic PHP shell, with the rest of the repeater tabs making a GET request to /uploads/new.php?cmd=whoami

<?php system($_GET['cmd']); ?>

Unfortunately, all these requests came back with a 500 internal server error, or 404 not found. I changed the PHP file contents to a more benign one, and it worked (printed "meow").

<?php echo("meow") ?>

I tried a few alternative functions for command execution.

<?php system($_REQUEST["cmd"]); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<? passthru($_GET["cmd"]); ?>

They all failed! Eventually I tried to view the phpinfo()

<?php phpinfo(); ?>

When checking the responses, I see one with a 200 OK and long response body. Searching for "flag" reveals the correct flag 😎

Flag: flag{1cdaf6ddac4je1a91a8dcb8e01llbfbb}

PreviousWhy2025 CTF Time NextFancy Login Form

Last updated 2 months ago