$ cat writeup.md…
$ cat writeup.md…
hackerlab
Task: PHP ExifTool image-upload service that interpolates the multipart filename into shell_exec with extension-only validation. Solution: OS command injection via base64-wrapped filename payload, exfiltrate via web static dir, recover SSH password rendered inside a carved PNG, then privesc with sudo NOPASSWD /usr/bin/date (GTFOBins arbitrary file read) to read both flag parts.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar