Upload Vulnerabilities

February 12, 2024

Task 1 :

Task 2:

Task 3:

Task 4:

First we need to edit the /etc/hosts so that we can access these domains

10.10.183.233    overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm demo.uploadvulns.thm

First task is that we need to view overwrite.uploadvulns.thm

Then as we view the source code for this site we can see we have the images/mountains.jpg

Then we did download a mountain image from google and change its name similar to website image which is mountains.jpg

Then after we upload the file into the webserver we did get the overwrite message

Task 5:

Second Task

The website also have a upload button

Now we get the reverse shell as www-data

ORRRRRR we could get shell through webshell

Task 6:

Task 7:

Third task

First we will try a demo png file to see if we can dowload a png

As we can see there is the png that we uploaded but anything other than png is actually being blocked by the filter

Then we will use burpsuite to intercept the post method that is being used when uploading images

First way

Open the foxyproxy

Intercept the page by reloading and turning on the button in the burpsuite

Then do response to this request

After that we need to delete the js script that is filtering the files

Then we will navigate to the website once again and upload our php reverse shell since there is no filtering anymore

As you can see there is the php rev shell that we uploaded in the burpsuite

Second way

We cp the php rev shell into a png file

cp ~/THM/php-reverse-shell.php revshell.png

Task 8:

Task 9:

https://en.wikipedia.org/wiki/List_of_file_signatures

Then we will use hexedit to edit the bytes in the file

from 41 41 41 41 41 41 to 47 49 46 38 37 61

hexedit php-reverse-shell-copy.php

Task 10:

Task 11:

First we will download the file list that was given to us

When we are visiting the /content directory we have no access or the page is not found

But when we actually inspect the website we can see that the images are being saved into /content directory

Visit the js file checks the source code that is filtering the upload function

Then use burpsuite to intercept the requests

First we will remove the js in interception rule so that we can see the js file intercepted

Do intercept reponse to this request for the upload.js

Then delete the following lines to remove the filter

We see here that the filter is actually removed

Once look in the wappalyzer, we can see the webiste uses node.js instead of php programming language.

That's why we are going to use node reverse shell instead of reverse php

As you can see the node rev shell have a jpg file extension but it is still a js file

Then try to upload our payload and intercept it with burp

Change the file type of the node file from jpg to js, so that we can execute it as javascript file

Then we know that jpg files are located in content directory so we can use the gobuster tool to look for our jpg file using the wordlist that are provided

gobuster dir -u http://jewel.uploadvulns.thm/content -w UploadVulnsWordlist.txt -x jpg

The payload or our reverse shell did actually converted to a random three letters that is in the wordlists that was given to us

Access or execute the file through tthe admin page by using this command

../content/ZBP.jpg

PreviousSteel Mountain NextBlue

Last updated 1 year ago