RyanPlatten.com

TryHackMe: Upload Vulnerabilities

What a crazy time I had in this room. It talks about vulnerabilities in upload forms that websites may use to allow users to upload files and things to the website. The first couple of tasks were rather easy – using the same file name to overwrite files already on the server. ie. Finding a file on a server called “spain.jpg”, and then uploading your own file and calling it “spain.jpg” as well to overwrite the original.

The next task started to increase the knowledge needed to execute the task. It required a knowledge of getting access to shells and using them on web servers. I have to admit here that my knowledge is not great, so it took a while to realise that I would have to go and get a shell payload to use on my own – stupidly I thought I just had to cut and paste the command mentioned in the room. I did not. Eventually I got my own shell and managed to execute and run the command to get the flag.

The next task was about client side and server side filtering. This was an interesting task, especially learning about the hex file signatures and how you can change them easily in Linux. It also went over MIME type filtering by capturing you requests in Burp and then modifying the info before it gets sent to the server. It also discussed filename filtering as well.

The next tasks was using the techniques discussed to bypass the Client side filtering. I have to admit here that I forgot some of this stuff when it came time for the final challenge, because looking back, the hints were there. You intercept the request before it gets to the server, then ask to intercept the response. When you get the server response, you can then delete the code you don’t want to execute on the browser. This way you can delete out things like filter checks.

The next task was file extension filtering, which involved trying to modify the extension of a file so that it could bypass the filter. Again this was simple enough by referring back to instructions and ensuring that you could find an extension that would work. There was a bit of trial and error here to find an appropriate PHP extension that would work, but in the end it worked OK.

Next up was bypassing the Magic Numbers filter. Again this was pretty easy, but also interesting being able to go in and change the file using the hexeditor program.

The Challenge

The final thing was the challenge to get a reverse shell on to a Jewel upload site. This took me a long time mainly due to me not thinking outside of the box, taking the previous tasks too literally, and also a hiccup with Burp that took me a few hours and some Discord messages to get it working.

The main issues here that I had were that I was so fixed on the tasks I had done before, that I didn’t think about the shell I was using, and kept using a PHP shell, instead of noticing that the server was using node.js and I needed to switch to that. Enumerating the site using Gobuster and checking source code was all easy enough and I managed to do that without help.

Then the big problem came, my Burp program kept forwarding requests via HTTPS which led to the site not working. It took me a long time to figure it out and I actually got some help by chatting on Discord to point me in the right direction. I finally realised I had to just manually change all the requests to use HTTP. Not sure why this happened, but it was a pain. Once I got that figured, I was able to get the shell uploaded and found the flag. What a feeling of accomplishment after all that. I think this challenge took about out 6hours of my time!

ryanplatten

,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.