[web-8] Remote code execution (RCE) on gallery.edu.stf

Obtain RCE on the host gallery.edu.stf (10.124.1.236).

To get the flag, run the script /home/rceflag.

I started with an Nmap scan to identify open ports and running services:

Open Ports: 22, 80

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5f:c7:01:53:89:1a:a8:d5:18:1a:18:1c:9a:d3:50:b1 (RSA)
|   256 e0:cf:fc:04:c4:31:ef:92:1c:53:c8:e0:f5:69:03:6b (ECDSA)
|_  256 57:f5:92:64:3c:1c:26:92:db:51:be:97:a2:c1:e6:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 25.16 seconds

Next, I used ffuf to scan for directories and discovered /images

┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -u <http://10.124.1.236/FUZZ> -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt 

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : <http://10.124.1.236/FUZZ>
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

javascript              [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 208ms]
images                  [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 4798ms]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 208ms]
:: Progress: [62281/62281] :: Job [1/1] :: 191 req/sec :: Duration: [0:05:44] :: Errors: 0 ::

Browsing to the website, it shows several images and gallery content

And at the bottom, I discovered that the application has a function to upload images and also allows downloading via URL.