Forensics

File Categorization

File Extension

There will be challenges that involve a file upload that checks the extension of the file based on some form of RegEx (e.g. with some substr() , strpos() ,preg_match()).

  • If the validator is just looking for the name to include .pdf then you can use double extensions, like reverse_shell.pdf.php.

  • You can use Burp Suite's Intruder on Sniper mode with a wordlist of extensions to check what extensions are allowed, e.g. .php, .php2, .php3, .php4, .php5,.php6, .php7, .phtm, .phtml, .phps, .php-s, .pht, .phar.

Media Type

Some servers will trust the Content-Type specified by the user, e.g.:

<?php
$mime = $_SERVER["CONTENT_TYPE"];
if (strcasecmp($mime, "image/png") == 0){
    echo "photo"
} else {
    echo "not a photo"
}
$ curl 127.0.0.1:80/upload.php
not a photo%
$ curl 127.0.0.1:80/upload.php -H "Content-Type: image/png"
photo%

You can also change the Content-Type in Burp.

Structure

If the server is checking the structure of the file, consider Polyglot files (link). Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc. Most famous one is PHAR-JPG (link).

Magic Bytes

File starting with specific leading bytes will usually be read as that type of file by utilities.

A file might be corrupted. Use a hex editor xd filename.png|head and you may be able to guess the actual filetype from the contents (e.g. IDAT means PNG) and change the leading bytes to recover it.

Known-plaintext attack (link)

If you have an encrypted file of a known type. If you XOR the encrypted file with the known magic bytes, you can potentially recover a key. Then, XOR the encrypted file with the key to decrypt and recover the image.

Binwalk

$ binwalk --dd='.*' <file to extract>

Field Guide

Windows

PreviousIntro to CTFNextChallenges

Last updated