- Brief: try to exploit the upload form to read flag in the root direftoru - `ping` test ![[images/Pasted image 20251224175456.png]] - `nmap` scan ![[images/Pasted image 20251224175511.png]] - visit page ![[images/Pasted image 20251224174749.png]] - all links seem like dead-end; however, `/contact` is interesting ![[images/Pasted image 20251224174823.png]] - a file upload field is included - source code ![[images/Pasted image 20251224174858.png]] - `checkfile` function triggered upon `onchange` event ![[images/Pasted image 20251224175126.png]] - accepted file types include `.jpg,.jpeg,.png` - unclear where the file is uploaded - looks like we need to read source code for `/contact/upload.php` - grab a test image ![[images/Pasted image 20251224175641.png]] - test upload with `cat.jpg` ![[images/Pasted image 20251224175729.png]] - output is interesting ![[images/Pasted image 20251224175815.png]] ![[images/Pasted image 20251224175809.png]] - try to reach image at `/contact/upload/php?uploadFile=cat.jpg`![[images/Pasted image 20251224193009.png]] - try to reach image at `/contact/upload/php?cat.jpg` - same message