Tags: web pix 

Rating: 5.0

# Full WriteUp
Full Writeup on our website: [http://www.aperikube.fr/docs/ndhquals_2018_pixeditor](http://www.aperikube.fr/docs/ndhquals_2018_pixeditor)

-----

# TL;DR
In this challenge, we had a "paint" tool in JS which allowed us to save our drawing (32*32) in PNG, JPG, BMP...

The save process used an AJAX query with 3 parameters: array of pixels, filename, filetype.

By looking at the JS, we saw a comment which says that filname is truncated in the backend when his length is over 50px.

This truncation allowed us to upload our image with php extension using aaaa[...]aaa.php.png (when truncated gives aaaa[...]aaa.php).

After that, we looked at the different file format to wrote php in the image chunk. We chose BMP which allowed us to wrote PHP in it easyly.

The writing process was converting php code to pixels array and passing it as "image".

Once the payload was upload, we got a PHP shell which allowed us to list file in root folder and read the flag.

Original writeup (http://www.aperikube.fr/docs/ndhquals_2018_pixeditor).