This is my new file uploader server. I bet you can’t hack it!

The website allows us to upload files. Let’s create a php shell file, but save it as dummy.txt.

Then, try to upload it.

It expects file name to contain .png/.jpg/.gif. Let’s rename our dummy.txt file to dummy.png.txt and try to upload it again.

Let’s check the given url.

We have uploaded it successfully. Let’s try to investigate the /uploads/ directory.

We have a directory called “Don’t open”. Let’s see what’s inside.

It contains a htaccess file. Let’s look at the contents of it.

It tells us that the server runs files with extension .cyb3r using PHP.

Let’s rename our file to rce.png.cyb3r and upload it again.

We successfully uploaded our shell file. Let’s test it first.

It works! Now, we can search for the flag!

Here is the flag noxCTF{N3V3R_7RU57_07H3R5}.