# Upload Vulnerabilities
**Task 1 :**
**Task 2:**
**Task 3:**
**Task 4:**
First we need to edit the /etc/hosts so that we can access these domains
{% code overflow="wrap" %}
```
10.10.183.233 overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm demo.uploadvulns.thm
```
{% endcode %}
First task is that we need to view overwrite.uploadvulns.thm
Then as we view the source code for this site we can see we have the images/mountains.jpg
Then we did download a mountain image from google and change its name similar to website image which is mountains.jpg
Then after we upload the file into the webserver we did get the overwrite message
**Task 5:**
Second Task
The website also have a upload button
Now we get the reverse shell as www-data
ORRRRRR we could get shell through webshell
**Task 6:**
**Task 7:**
Third task
First we will try a demo png file to see if we can dowload a png
As we can see there is the png that we uploaded but anything other than png is actually being blocked by the filter
Then we will use burpsuite to intercept the post method that is being used when uploading images
* First way
Open the foxyproxy
Intercept the page by reloading and turning on the button in the burpsuite
Then do response to this request
After that we need to delete the js script that is filtering the files
Then we will navigate to the website once again and upload our php reverse shell since there is no filtering anymore
As you can see there is the php rev shell that we uploaded in the burpsuite
* Second way
We cp the php rev shell into a png file
```
cp ~/THM/php-reverse-shell.php revshell.png
```
**Task 8:**
Task 9:
```
https://en.wikipedia.org/wiki/List_of_file_signatures
```
Then we will use hexedit to edit the bytes in the file
from 41 41 41 41 41 41 to 47 49 46 38 37 61
```
hexedit php-reverse-shell-copy.php
```
**Task 10:**
**Task 11:**
First we will download the file list that was given to us
When we are visiting the /content directory we have no access or the page is not found
But when we actually inspect the website we can see that the images are being saved into /content directory
Visit the js file checks the source code that is filtering the upload function
Then use burpsuite to intercept the requests
First we will remove the js in interception rule so that we can see the js file intercepted
Do intercept reponse to this request for the upload.js
Then delete the following lines to remove the filter
We see here that the filter is actually removed
Once look in the wappalyzer, we can see the webiste uses node.js instead of php programming language.
That's why we are going to use node reverse shell instead of reverse php
As you can see the node rev shell have a jpg file extension but it is still a js file
Then try to upload our payload and intercept it with burp
Change the file type of the node file from jpg to js, so that we can execute it as javascript file
Then we know that jpg files are located in content directory so we can use the gobuster tool to look for our jpg file using the wordlist that are provided
{% code overflow="wrap" %}
```
gobuster dir -u http://jewel.uploadvulns.thm/content -w UploadVulnsWordlist.txt -x jpg
```
{% endcode %}
The payload or our reverse shell did actually converted to a random three letters that is in the wordlists that was given to us
Access or execute the file through tthe admin page by using this command
```
../content/ZBP.jpg
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kyou00.gitbook.io/xyz/tryhackme/view/upload-vulnerabilities.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.