easy

Level 7: Server Fingerprinting (No Server Header)

Recon

Challenge Description

The origin hides its Server header. Determine which web server powers this app anyway.

Objective

An image upload feature blocks .php files but uses weak validation. Bypass the filter to upload executable code.

What you'll learn
  • File extension bypass techniques
  • Alternative PHP extensions (phtml, php3, php5, etc.)
  • Double extension tricks
  • Content-type manipulation
Need a Hint?
Trigger a server-generated error (e.g., 405 at /probes/methods) to fingerprint behavior.

Bypass techniques:

  • Use alternative extensions: .php3, .php5, .phtml, .phar
  • Double extensions: shell.php.jpg
  • Null byte injection: shell.php%00.jpg (older systems)
  • Case variations: .PHP, .PhP

Profile Picture Upload

Upload your profile image (JPG, PNG, GIF only)
Allowed: .jpg, .jpeg, .png, .gif
File Upload Tips
  • Create a test file: echo "<?php echo 'test'; ?>" > shell.php5
  • Or rename: mv shell.php shell.phtml
  • The server blocks .php but what about other extensions?
Vulnerable Code
$fileExt = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);

// WEAK VALIDATION: Only blocks .php
if ($fileExt === 'php') {
    die('PHP files not allowed!');
}

// Move uploaded file
move_uploaded_file($_FILES['file']['tmp_name'], 
                    "/uploads/" . $_FILES['file']['name']);
Always use whitelist validation, check MIME types, and store uploads outside webroot!
Safety Note: No files are actually saved to disk. Real upload vulnerabilities can lead to complete server compromise (RCE).