This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.
Upload a basic PHP web shell.
Use it to exfiltrate the contents of the file:
/home/carlos/secret
Submit this secret using the button provided in the lab banner.
You can log in to your own account using:
wiener:peter
After reading the lab description, I knew this was a basic bypass challenge.
First, I tried different filename variations:
shell.jpg
shell.php.jpg
shell.pHp.jpg
shell.php%20.jpg
shell.php;.jpg
shell.php:.jpg
All of these uploaded successfully ✅, but when accessed via:
/files/avatars/[payload]
→ The response was either a broken image or internal server error.
Then I tried using a null byte obfuscation:
shell%00.jpg