4 min read1 day ago
–
The challenge ‘Anoymous’ was one of the interesting challenge in Excel 2025 CTF. It was a miscellaneous challenge and mostly it includes Web based attacks, and I used a combination of my own skills, web search, and AI to solve it. My performance in the CTF earned me the 24th position with a score of 2260 points.
This challenge involved a chain of vulnerabilities, starting with an XXE injection to gain a foothold, followed by discovering a hidden host, and finally bypassing a complex, multi layered file upload filter to achieve Remote Code Execution (RCE).
The challenge started by accessing the website, which presented a simple webpage with a “Join Us” form. Viewing the page’s source code it revealed a Javascript function that constructed an XML payload…
4 min read1 day ago
–
The challenge ‘Anoymous’ was one of the interesting challenge in Excel 2025 CTF. It was a miscellaneous challenge and mostly it includes Web based attacks, and I used a combination of my own skills, web search, and AI to solve it. My performance in the CTF earned me the 24th position with a score of 2260 points.
This challenge involved a chain of vulnerabilities, starting with an XXE injection to gain a foothold, followed by discovering a hidden host, and finally bypassing a complex, multi layered file upload filter to achieve Remote Code Execution (RCE).
The challenge started by accessing the website, which presented a simple webpage with a “Join Us” form. Viewing the page’s source code it revealed a Javascript function that constructed an XML payload and sending it to the notify.php. From my analysis using AI and web search I undestood it points to a potential XML External Entity (XXE) vulnerabilty.
Press enter or click to view image in full size
Press enter or click to view image in full size
Source code which shows the vulnerabilty So then I used CURLtool to send a payload to the notify.phpendpoint to confirm the vulnerability by reading the /etc/passwd file.
Press enter or click to view image in full size
Then with file-read access, I enumerated system configuration files. Reading /etc/apache2/sites-enabled/000-default.confand revealed a second hidden website or host : anonupload.cyberquest
Press enter or click to view image in full size
system configuration files and hidden host name So I added 35.200.207.70 anonupload.cyberquestto the /etc/hosts file, then I accessed a new file which was a password protected file upload page.
Press enter or click to view image in full size
Then I used the same XXE vulnerability again to read the source code of /var/www/anonupload.cyberquest/index.phpand found the password is supersecret1234564_niceeeee132213.
Press enter or click to view image in full size
password showing on the source code of index.php After logging in, we can see a strict file upload form. This is where the challenge involved more trial and error.
Press enter or click to view image in full size
Screenshot of the File upload form On my inital attempts to upload a PHP shell failed, but each failure gave us a clue.
- > Attempt 1: MIME Type Bypass: I tried uploading a .phpfile while setting the Content-Typeheader to image/jpegintercepting using Burpsuite. Press enter or click to view image in full size
This error showed that the server wasn’t just trusting the header; it was checking the file’s actual content, by it’s Magic number’s maybe.
- > **Attempt 2 : Magic Number & Extension Mismatch :**So I tried uploading a file with a vaild PNG signature but a .phpextension. It also got failed. Press enter or click to view image in full size
This error revealed the server is strict, the file’s content and it’s extension had to match one of the allowed types.
Then I re-examine the index.php source code, where I found the critical vulnerability in the validation logic. The code used a flawed **explode()**function to check the extension but a secure **pathinfo()**function to save the file.
Press enter or click to view image in full size
vulnerable code So then I tried for a bypass. By making a filename into **shell.jpeg.php,**the validation check will see jpeg and pass, but the server would save the file with it’s true final extension .php .
To pass the content check, the file needed to be a valid **JPEG.**I tried adding the payload to the file and it caused error. Then I edited the metadata of the file by adding a PHPpayload into the JPEG’s comment using exiftool.
Press enter or click to view image in full size
So I intercepted and modified, Uploaded image.jpeg to renaming it to shell.jpeg.php .
Press enter or click to view image in full size
Success !!
Press enter or click to view image in full size
With the shell uploaded, I accessed it via the browser to execute commands.
First I listed the files in the root directory to find the flag :
http://anonupload.cyberquest/uploads/2a9526f0dd3382db.php?cmd=ls =la /
Press enter or click to view image in full size
got the root files This revealed the flag file, fl444g_11d854d6a9c9341e8af155128bf74362.txt .
Now we have to read the content inside to read the flag and complete the challenge.
Press enter or click to view image in full size
flag Yep… We got the flag…
Overall Excel 2025 CTF was fun and fantastic, offered variety of challenges including reverse engineering, web exploitation, forensics, steganography, binary exploitation, OSINT, and cryptography.
This particular challenge, **“Anonymous”**was especially interesting to me, which inspired me to create this detailed writeup.
Big thanks to the Excel CTF team who organised this CTF.
Connect me on Linkedin