Okay so we are met with a simple website for uploading png files

image.png

Let’s inspect further

image.png

Nothing looks immediately odd

using DIRB to brute force directory

dirb <url> <path_to_wordlist>

image.png

while that's cooking, let’s see if we can trick the server into thinking we are using a .png to get remote code execution

It’s possible that the server could be checking for “.png” in the file name

…that didn’t work

The server could be checking for a PNG file signature.

From Wikipedia we can get the text and Hex form for a PNG file signature :

89 50 4E 47 0D 0A 1A 0A

‰PNG␍␊␚␊

we can then craft a payload by renaming the PNG to a PHP file with the PNG signature at the end of the file.

BOOM. With this upload, we have remote code execution…but it looks like I did something wrong…

image.png

hmmm