Upload Vulnerabilities
February 12, 2024
Task 1 :
Task 2:
Task 3:
Task 4:
First we need to edit the /etc/hosts so that we can access these domains
10.10.183.233 overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm demo.uploadvulns.thm
First task is that we need to view overwrite.uploadvulns.thm
Then as we view the source code for this site we can see we have the images/mountains.jpg
Then we did download a mountain image from google and change its name similar to website image which is mountains.jpg
Then after we upload the file into the webserver we did get the overwrite message
Task 5:
Second Task
The website also have a upload button
Now we get the reverse shell as www-data
ORRRRRR we could get shell through webshell
Task 6:
Task 7:
Third task
First we will try a demo png file to see if we can dowload a png
As we can see there is the png that we uploaded but anything other than png is actually being blocked by the filter
Then we will use burpsuite to intercept the post method that is being used when uploading images
First way
Open the foxyproxy
Intercept the page by reloading and turning on the button in the burpsuite
Then do response to this request
After that we need to delete the js script that is filtering the files
Then we will navigate to the website once again and upload our php reverse shell since there is no filtering anymore
As you can see there is the php rev shell that we uploaded in the burpsuite
Second way
We cp the php rev shell into a png file
cp ~/THM/php-reverse-shell.php revshell.png
Task 8:
Task 9:
https://en.wikipedia.org/wiki/List_of_file_signatures
Then we will use hexedit to edit the bytes in the file
from 41 41 41 41 41 41 to 47 49 46 38 37 61
hexedit php-reverse-shell-copy.php
Task 10:
Task 11:
First we will download the file list that was given to us
When we are visiting the /content directory we have no access or the page is not found
But when we actually inspect the website we can see that the images are being saved into /content directory
Visit the js file checks the source code that is filtering the upload function
Then use burpsuite to intercept the requests
First we will remove the js in interception rule so that we can see the js file intercepted
Do intercept reponse to this request for the upload.js
Then delete the following lines to remove the filter
We see here that the filter is actually removed
Once look in the wappalyzer, we can see the webiste uses node.js instead of php programming language.
That's why we are going to use node reverse shell instead of reverse php
As you can see the node rev shell have a jpg file extension but it is still a js file
Then try to upload our payload and intercept it with burp
Change the file type of the node file from jpg to js, so that we can execute it as javascript file
Then we know that jpg files are located in content directory so we can use the gobuster tool to look for our jpg file using the wordlist that are provided
gobuster dir -u http://jewel.uploadvulns.thm/content -w UploadVulnsWordlist.txt -x jpg
The payload or our reverse shell did actually converted to a random three letters that is in the wordlists that was given to us
Access or execute the file through tthe admin page by using this command
../content/ZBP.jpg
Last updated