Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

12 September 2020 write-up: old-41

1 minutes to read
Link point tag
old-41 250 Linux

Howdy there, welcome to another CTF style challenge. Today’s challenge is about the maximum character can be used in the Linux filename.


A front-page with a file upload query. Anyway, time to read the code.


By referring to the code, we have some filename filter but not that is not important. Two things caught my eye,

With this information, we have to induce an error to reveal the hidden directory. This error must be somehow connected to the uploaded file. I tried uploading a file with a huge size and different types of extension. No luck.

How about Linux filename that exceed 255 characters. For your information, the maximum allowed filename for Linux is 255 characters.


Of course, you can’t just create the file within the Linux system. The best bet is through The Burp Suit. First of all, upload a dummy file and intercept the request.


After that, change the filename as long as you can and it should be more than 255 characters. Then, forward the request.


Return to the page and you should notice there is a warning being raised.


That is the hidden directory we are looking for. After that, try to upload a file with a shorter filename (123 in my case). Visit the following URL to capture the flag<hidden directory>/123


tags: - linux

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


© 2020 DesKel