# Magical Television I already knew about magic eye, so it didn’t take me long to recognize that this is a magic eye by pausing the video and observing the patterns in the frames. Solution: 1. `ffmpeg -i magic_television.mp4 -r 1/1 $extracted%03d.png` to extract some frames from the video 2. https://magiceye.ecksdee.co.uk/ magic eye viewer to view the images. Could also view by eye but I can't be bothered. flag: `firebird{we_need_a_pair_of_magic_eyes!}` # Innocent Image Viewer This challenge's solution consists of two parts. Firstly, we need to bypass the checking function and upload a phpwebshell. Secondly, since the uploaded webshell will be randomly renamed to xxx.jpg (no .php extension), it cannot be executed as a php webshell by the server. Therefore, we need to exploit `preg_replace` to rename the file to have a .php extension. Finally, we can access the renamed webshell and get the flag. Solution: 1. upload webshell as follows. The GIB89a; is to trick `getimagesize` into thinking that this is an actual image, in order to bypass the filechecking.  2. the server renames the uploaded webshell to xxxx.jpg. Remember this filename. Since the file extension is .jpg and not .php, and we have no control over the filename when we upload it, it is not possible to execute the webshell yet. We need to rename the uploaded file in the following steps by exploiting `preg_replace`. 3. Make a new image with EXIF data as follows:  I used [https://www.thexifer.net](https://www.thexifer.net/) because I'm lazy to search for the command of exiftool. 4. Upload this image. Due to the regex and the `/e` in Make, the command in Model will be executed to rename the webshell to xxxx.php 5. Access the webshell at [http://ash-chal.firebird.sh:36025/uploads/65acc00cd56bf.php?cmd=cat %2Fflag](http://ash-chal.firebird.sh:36025/uploads/65acc00cd56bf.php?cmd=cat%20%2Fflag) flag: `firebird{wh47_4_b34u71ful_p1c!}`