Upload Vulnerabilities

This is a room in TryHackMe, which teaches about basic file-upload vulnerabilities in websites.

Once the IP-domain mappings are added to the “/etc/hosts” we can proceed further.

echo “<Target Machine IP> overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm” | sudo tee -a /etc/hosts

Overwriting Existing Files

On opening the link in the browser http://overwrite.uploadvulns.thm there is website with “Select File” and “Upload” button

Home page when opening http://overwrite.uploadvulns.thm

On looking at the source code, we see the image displayed in the background is sourced from “mountains.jpg” under a directory called “images

Page source of http://overwrite.uploadvulns.thm

To check if we are able to overwrite the existing image[s] on the webserver
I tried uploading new image with same name as “mountains.jpg”, and overwriting the existing image with new image was successful

File overwriting success

Remote Code Execution(RCE)

On navigating to http://shell.uploadvulns.thm as similar to previous link, we have “Select File” and “Upload” buttons.

Home page of http://shell.uploadvulns.thm

Directory Busting results; /resources and /assets are good places to check

gobuster output

Files uploaded are stored under /resources after trying uploading some files to the site.

Any method can be used for RCE but reverse shell is the aim.

For RCE using WebShell; found this webshell handy.

For RCE through Reverse Shell; we have ubiquitously used php reverse shell from pentestmonkey, and here is the code for reverse shell

reverse shell

Bypass Client-Side Filtering

Navigate to http://java.uploadvulns.thm and looking at the source code, only with MIME type image/png is accepted.

js function that filters only specifc files to upload

Directory busting results, /images is the place where the files uploaded are stored

Intercepting the requests/response through Burp Suite

Response to this request(Burp)
Comment/Delete the filter that handles only acceptance of only png images
Content of reverse_shell.php

This procedure was successful in uploading reverse_shell.php to get the reverse shell. Response to this request(Burp) -> Forward(Burp) -> “Select File” UI button and choose reverse_shell.php from your local machine -> Comment/Delete the filter that handles only acceptance of only png images -> Upload button(UI) -> Forward (Burp)

Now we are able to bypass the filter and able to upload reverse_shell.php script.

/images path which stores the files uploaded

On clicking the reverse_shell.php file, we get reverse shell to the target

reverse shell to target

Bypassing Server-Side Filtering: File Extensions

As the title suggests, filtering for the file upload is done by using file extensions on the backend languages like PHP, Node.js, Python etc. Say like a blacklist or whitelist of extensions to allow/block certain files that meet the rule.

Navigate to http://annex.uploadvulns.thm

http://annex.uploadvulns.thm

Directory busting results

gobuster results

On doing trial and error found, .jpg, .png are accepted. php -> REJECTED.
.php5 -> ACCEPTED, therefore, renaming reverse_shell.php to reverse_shell.php5 and uploading will give reverse shell.

reverse shell

Bypassing Server-Side Filtering: Magic Numbers

To advance the filtering process, magic numbers based filtering can be used. But even this can be bypassed. Main intension is, we should not conclude a file with the help of its extension rather the contents within the file defines the type of file. Magic numbers are used to identify the type of the file. Read more about of magic number here.

Navigate to http://magic.uploadvulns.thm

Home page http://magic.uploadvulns.thm

This suggests, only gifs are accepted.

Only gifs type file are accepted

On researching, found that magic number for gif is 47 49 46 38 39 61 (hex)
On adding this hex value to the reverse_shell.php and changing this content to ASCII, it seems to become a gif file. So, we can bypass this filter as well.

Adding dummy chars to the beginning of reverse_shell.php
Edit the dummy chars to magic number of GIF using ghex editor

Directory indexing is turned off, so we get permission denied. Note: /graphics path was detected by gobuster during the directory busting process.

Directory traversal is restricted

Execute the reverse_shell.php through URI

reverse_shell.php output

In summary, this room explains about file overwriting, RCE with Webshell and Reverse Shell, defensive mechanisms like client side filtering and server side filtering and also how we can bypass these defensive mechanisms to get RCE. Also note, last challenge in the room is left for your curiosity. Please go ahead and give a try.

%d bloggers like this: