In this picoCTF Trickster walkthrough, the first step is web directory enumeration, where I use Gobuster to discover hidden files and folders that are not directly visible on the website
🤖 Checking robots.txt for Hidden Directories
In the picoCTF Trickster challenge, reviewing the robots.txt file helps uncover 🔍 important hidden paths that are not indexed by search engines. The file reveals two disallowed directories:
📄 /instructions.txt
📁 /uploads/
Although these paths are blocked for bots 🚫, they remain accessible to users. In CTF challenges, this often leads to valuable clues. The 📁 /uploads/ directory is especially important because the lab focuses on a PNG-only image upload web application, making it a strong target for further exploitation.
🐚 PNG-Based Web Shell Creation
In the picoCTF Trickster challenge, a simple PHP web shell is created to execute system commands through the browser.
📝 The file is named shell.png.php to bypass upload filters. Many web applications only check the file extension or allow files containing .png, so this double extension tricks the filter into accepting the file while the server still processes it as a PHP script.
🖼️ Why PNG Is Added at the Top
The PNG text is added at the beginning of the file to pass PNG file validation checks. This makes the file look like a legitimate image, even though it contains executable PHP code.
🎯 This combination demonstrates a classic file upload bypass technique used in web exploitation CTF challenges.
📤 Uploading the Malicious PNG File
After crafting the file, it is uploaded through the PNG processing web application. The application accepts the file and confirms it as a valid PNG, indicating that the upload restrictions have been successfully bypassed.
🖼️ This confirms that the file passed both:
- PNG validation checks
- File extension filtering
🌐 Accessing the Web Shell via /uploads/
Once the upload is complete, the file is accessed directly using the URL:
🔗 /uploads/shell.png.php
Visiting this path loads the uploaded file, and because the server interprets .php files, the embedded PHP code is executed. This opens a simple web-based command execution interface, allowing commands to be run on the server.
🎯 This step confirms successful remote command execution, completing the core exploitation phase of the picoCTF Trickster web challenge.
🔍 Finding Text Files Using the Web Shell
After gaining command execution through /uploads/shell.png.php, a search is performed to locate text files on the server. Using a system command, all files ending with .txt are listed.
⚠️ Several "Permission denied" messages appear, which is normal because the web shell runs with limited privileges.
✅ Among the results, an important file is discovered inside the web root directory:
/var/www/html/GAZWIMLEGU2DQ.txt
🚩 Reading the Flag File
Once the file is found, it is opened using a simple command through the web shell. The contents of the file reveal the flag, completing the picoCTF Trickster challenge.
🎯 This confirms successful file upload bypass, remote command execution, and flag retrieval.
Here i Got this Flag. Now its your turn. Best of luck …..
🙌 Final Note
If you enjoyed this picoCTF Trickster walkthrough and found it helpful, follow me on Medium for more beginner-friendly CTF write-ups, web exploitation labs, and hands-on cybersecurity learning 🚀
सीखते रहो, कोशिश करते रहो — क्योंकि हर एक CTF आपको बेहतर हैकर बनाता है। आज जो मुश्किल लग रहा है, वही कल आपकी ताकत बनेगा। 💪🔥