ContactUs

By Narcissus

ContactUs

Based off the name of the challenge we know the interesting stuff is in the CONTACT US section of the site:

site

Looking at the source and packet headers we see the site is in php. The challenge description mentions how dangerous mailing libraries can be, let's see if we can find a nice exploit.

We found a nice cve that shows how you could get remote code execution from PHPMailer, seems like it fits like a glove to our situation.

We filled the form using parameters from their POC:

 

After disabling the type="email" and filling out the captcha we got this message: You are so close! please change the backdoor location to: /var/www/html/cache/d0bcbc798d7b.php.

Looks like we're golden. Changing our paramaters according to the message, and updating our php payload to something more useful:

 

We again disabled type="email", filled out the captcha and submitted the form. Now after waiting an eternity the page reloaded and we could finally navigate to: /cache/d0bcbc798d7b.php

There towards the end of the output we found the flag: BSidesTLV{K33pY0urM4il3rFullyP4tch3D!}.

Success