Based off the name of the challenge we know the interesting stuff is in the
CONTACT US section of the site:
Looking at the source and packet headers we see the site is in php. The challenge description mentions how dangerous mailing libraries can be, let's see if we can find a nice exploit.
We found a nice cve that shows how you could get remote code execution from PHPMailer, seems like it fits like a glove to our situation.
We filled the form using parameters from their POC:
After disabling the
type="email" and filling out the captcha we got this message:
You are so close! please change the backdoor location to: /var/www/html/cache/d0bcbc798d7b.php.
Looks like we're golden. Changing our paramaters according to the message, and updating our php payload to something more useful:
We again disabled
type="email", filled out the captcha and submitted the form. Now after waiting an eternity the page reloaded and we could finally navigate to:
There towards the end of the output we found the flag: