In this challenge, the attacker has administrative access to the web application and needs to find remote code execution vulnerability in order to run arbitrary commands on the server.
Objective: Exploit the remote code execution vulnerability and retrieve the flag!
Like many other CMS, templates can probably be edited to contain our php code. Let’s give the blog-post template a simple webshell for free.
and then we visit the blog post and try out a command ?cmd=id
and the find our flag using urlencode(“find / -type f -name flag”)
Time to get our flag