Under the Web is a web-binary hybrid challenge that combines a PHP image gallery application with a custom PHP extension (metadata_reader.so) for EXIF metadata parsing. The attack chain exploits a path traversal vulnerability in the image viewer to leak /proc/self/maps (defeating ASLR), then crafts a malicious PNG with EXIF metadata fields that overwrite the PHP extension's GOT entry for efree() with system(). When the extension processes the crafted image, it calls efree(artist_string) -- which now executes system(artist_string), where the Artist field contains a shell command.

The elegance of this challenge lies in its multi-layer exploitation: a web vulnerability provides the information leak, an image format carries the binary payload, and a PHP extension's internal memory management becomes the execution trigger.

The application has three PHP files:

index.php -- Gallery listing that calls getImgMetadata() for each PNG in the uploads directory:

$images = glob($directory . "*.png");
foreach ($images as $image) {
    $info = getImgMetadata($image);
    $data = explode("\n", $info);
    // display Title, Artist, Copyright
}

view.php -- Full image viewer with a path traversal vulnerability: