Okay so we are met with a simple website for uploading png files
Let’s inspect further
Nothing looks immediately odd
using DIRB to brute force directory
dirb <url>
<path_to_wordlist>
while that's cooking, let’s see if we can trick the server into thinking we are using a .png to get remote code execution
It’s possible that the server could be checking for “.png” in the file name
…that didn’t work
The server could be checking for a PNG file signature.
From Wikipedia we can get the text and Hex form for a PNG file signature :
89 50 4E 47 0D 0A 1A 0A
‰PNG␍␊␚␊
we can then craft a payload by renaming the PNG to a PHP file with the PNG signature at the end of the file.
BOOM. With this upload, we have remote code execution…but it looks like I did something wrong…
hmmm