> For the complete documentation index, see [llms.txt](https://kyou00.gitbook.io/xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kyou00.gitbook.io/xyz/tryhackme/view/upload-vulnerabilities.md).

# Upload Vulnerabilities

**Task 1 :**&#x20;

<figure><img src="/files/ZsoR8ZhAs5qxMxoYmhHi" alt=""><figcaption></figcaption></figure>

**Task 2:**&#x20;

<figure><img src="/files/bmisRWt9JHjGkaCH84DK" alt=""><figcaption></figcaption></figure>

**Task 3:**

<figure><img src="/files/2Pg8QXkhdEvGCZ3V5q4l" alt=""><figcaption></figcaption></figure>

**Task 4:**&#x20;

First we need to edit the /etc/hosts so that we can access these domains

{% code overflow="wrap" %}

```
10.10.183.233    overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm demo.uploadvulns.thm
```

{% endcode %}

<figure><img src="/files/NZzRHYosO9Te9c6W9Dlt" alt=""><figcaption></figcaption></figure>

First task is that we need to view overwrite.uploadvulns.thm&#x20;

<figure><img src="/files/sCbW3dAKVm7JcsH4g6w6" alt=""><figcaption></figcaption></figure>

Then as we view the source code for this site we can see we have the images/mountains.jpg

<figure><img src="/files/IkR3pKjDBZ4fgmvOftdD" alt=""><figcaption></figcaption></figure>

Then we did download a mountain image from google and change its name similar to website image which is mountains.jpg

<figure><img src="/files/v6mTjYcatXdZ5MXsrqVm" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/H3IcmkAfQaFUzuxo6hC8" alt=""><figcaption></figcaption></figure>

Then after we upload the file into the webserver we did get the overwrite message

<figure><img src="/files/Lhs4ujLuXXW9EbXasKfa" alt=""><figcaption></figcaption></figure>

**Task 5:**&#x20;

Second Task

The website also have a upload button&#x20;

<figure><img src="/files/efYoYPFePigGM4BbcrGY" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NnUhbtnAdkdWq06C7vUt" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/7YMBEPCgOooioBYyMtcy" alt=""><figcaption></figcaption></figure>

Now we get the reverse shell as www-data

<figure><img src="/files/7FmuR0oKbY5evwTwwDGO" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/jQg9folFJjmscthhwSe4" alt=""><figcaption></figcaption></figure>

ORRRRRR we could get shell through webshell

<figure><img src="/files/HSNrtDsIYU0o7SQrmkmG" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/zYKfF0UJOqsMDd4YFk9z" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/tlnzvaDGZpdhSGWkYVg8" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ILXfbsFXFJBKqmnHNa9A" alt=""><figcaption></figcaption></figure>

**Task 6:**

<figure><img src="/files/Uo9uCpGBemj6N07eMAeV" alt=""><figcaption></figcaption></figure>

**Task 7:**

Third task

First we will try a demo png file to see if we can dowload a png

<figure><img src="/files/2cbL6ELEWdMxeTEY678a" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lg47Uy0KKRuYy2rVEVIG" alt=""><figcaption></figcaption></figure>

As we can see there is the png that we uploaded but anything other than png is actually being blocked by the filter

<figure><img src="/files/zg1lEug3R8rZfu10LOeN" alt=""><figcaption></figcaption></figure>

Then we will use burpsuite to intercept the post method that is being used when uploading images

* First way&#x20;

Open the foxyproxy

<figure><img src="/files/jSStMK0EQkOt0rIFveHT" alt=""><figcaption></figcaption></figure>

Intercept the page by reloading and turning on the button in the burpsuite

<figure><img src="/files/F5VKoLvmvR9RJOjTYitz" alt=""><figcaption></figcaption></figure>

Then do response to this request&#x20;

<figure><img src="/files/swipFvvhWmy7K5xqklUX" alt=""><figcaption></figcaption></figure>

After that we need to delete the js script that is filtering the files&#x20;

<figure><img src="/files/DC02e4VpB2qgzY0iObDa" alt=""><figcaption></figcaption></figure>

Then we will navigate to the website once again and upload our php reverse shell since there is no filtering anymore

<figure><img src="/files/LAqk6nJwCvfT90l5VLcT" alt=""><figcaption></figcaption></figure>

As you can see there is the php rev shell that we uploaded in the burpsuite

<figure><img src="/files/cWwjBEy8WQBShiqA3h2n" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/6U79QJet0O6j3Wv7Vb5d" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/u5RXr1mcLANEPbKq7cxb" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/rRStrW3YYE0HMqrTRf4k" alt=""><figcaption></figcaption></figure>

* Second way

We cp the php rev shell into a png file&#x20;

```
cp ~/THM/php-reverse-shell.php revshell.png
```

<figure><img src="/files/cjU3zm5av27c0RXSq9kw" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ZzX4YOzYuEmTcUOF03Ic" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/CGcAS8N2l58H28XAg3pW" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/xOvAm4zTlqhsXmFZA0nc" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/CyDC56u0EMAtX6oNvmo6" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/SSBFFpNqbnOCIl8C6fOv" alt=""><figcaption></figcaption></figure>

**Task 8:**

<figure><img src="/files/N6I1dpbbjVVLNiTZ9P7M" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/gK7jIIPEFchDWvcURPxi" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/EVmhPhZwX3dFXCO9dh7D" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/SI9InBThEOtlxayfvrcH" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/kDClFw1PACwOtrbqwBD7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/zI2byBa2eH0usuazwNxW" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/YIdAIseg7X0sHiX0C8KR" alt=""><figcaption></figcaption></figure>

Task 9:&#x20;

<figure><img src="/files/795u6MIhdyYhL42nqZDL" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/DzbrgNsSKD5qOlojLhy4" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ocob4F85fwxddybk77Be" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/E6oDOQ3kc1yaGiqmkLfz" alt=""><figcaption></figcaption></figure>

```
https://en.wikipedia.org/wiki/List_of_file_signatures
```

<figure><img src="/files/RdpXmQf7hWxMSgBppsMi" alt=""><figcaption></figcaption></figure>

Then we will use hexedit to edit the bytes in the file

from 41 41 41 41 41 41 to 47 49 46 38 37 61

```
hexedit php-reverse-shell-copy.php
```

<figure><img src="/files/Jtu5n1yDAq5irMCDTwTh" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/A4DJViwypgbRzuornXQN" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/qP948AeBIYQ1MPT5GON7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/AALnjt44kXHOoaKuGBOl" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/XmGbXZOzcZzm4cZg2W4k" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/PRVXkYJxtfc054NxLuWW" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/X9pPu62iN0Al00nHSnhR" alt=""><figcaption></figcaption></figure>

**Task 10:**&#x20;

<figure><img src="/files/eYBq64Y5k6YoRTOilAya" alt=""><figcaption></figcaption></figure>

**Task 11:**

First we will download the file list that was given to us

<figure><img src="/files/hcAOTWeMdPrXTTMgJBIp" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/n3zR7wmioY4AB8tgRCPy" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/RvQHWbvobuYlCRdm9CaV" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/4lVexJ5XYjcveszdLgD0" alt=""><figcaption></figcaption></figure>

When we are visiting the /content directory we have no access or the page is not found

<figure><img src="/files/vGiHwYQWYWkGMewJSv9F" alt=""><figcaption></figcaption></figure>

But when we actually inspect the website we can see that the images are being saved into /content directory

<figure><img src="/files/ENgFsQ2DqCaI6JMetkkO" alt=""><figcaption></figcaption></figure>

Visit the js file checks the source code that is filtering the upload function

<figure><img src="/files/QeAdWqqbo6et8ScxJ7rx" alt=""><figcaption></figcaption></figure>

Then use burpsuite to intercept the requests

First we will remove the js in interception rule so that we can see the js file intercepted

<figure><img src="/files/t2iz4fsXqcVtTTeOHEm4" alt=""><figcaption></figcaption></figure>

Do intercept reponse to this request for the upload.js&#x20;

<figure><img src="/files/T0d2bEE5iMHC9IkDfEa0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/vAyEzdLdaAWiHE7w6yzi" alt=""><figcaption></figcaption></figure>

Then delete the following lines to remove the filter

<figure><img src="/files/fdSQSfSF31dNwPHvEhAu" alt=""><figcaption></figcaption></figure>

We see here that the filter is actually removed&#x20;

<figure><img src="/files/oTyfRz0rfT7wi6pfyXwE" alt=""><figcaption></figcaption></figure>

Once look in the wappalyzer, we can see the webiste uses node.js instead of php programming language.&#x20;

<figure><img src="/files/OyeCDtuHVkmxnewDu7Cg" alt=""><figcaption></figcaption></figure>

That's why we are going to use node reverse shell instead of reverse php

<figure><img src="/files/oVyiyhyKZRQLOTahAkVr" alt=""><figcaption></figcaption></figure>

As you can see the node rev shell have a jpg file extension but it is still a js file

<figure><img src="/files/mRieL685I8La9zbgL5RR" alt=""><figcaption></figcaption></figure>

Then try to upload our payload and intercept it with burp

<figure><img src="/files/XHMTtDJEtFZLaucY8R7w" alt=""><figcaption></figcaption></figure>

Change the file type of the node file from jpg to js, so that we can execute it as javascript file

<figure><img src="/files/5KQ4cZegYr65wZjhHdLm" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/SHFmnB3BXZokpoADRlma" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/RZVenaBeH7wOjgi6KRCX" alt=""><figcaption></figcaption></figure>

Then we know that jpg files are located in content directory so we can use the gobuster tool to look for our jpg file using the wordlist that are provided

{% code overflow="wrap" %}

```
gobuster dir -u http://jewel.uploadvulns.thm/content -w UploadVulnsWordlist.txt -x jpg
```

{% endcode %}

<figure><img src="/files/gXQaygVMPmShVv6wZ3Ca" alt=""><figcaption></figcaption></figure>

The payload or our reverse shell did actually converted to a random three letters that is in the wordlists that was given to us

<figure><img src="/files/tqtSI5vYn200cDMpIDrK" alt=""><figcaption></figcaption></figure>

Access or execute the file through tthe admin page by using this command

```
../content/ZBP.jpg
```

<figure><img src="/files/bMCT1C5chtjNDNVNMikZ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/RvGPQSN9zCqCSIasNSv7" alt=""><figcaption></figcaption></figure>
