I think I found the directory in another php file. But so far I can’t figure out how to get RCE beyond using XML/XXE to extract the /etc/passwd data.
If you were able to extract the source code of the correct .php file, then it should give you all the information of the upload process. Read it thoroughly and understand the upload protections that are written there. Then you will be able to bypass them and get RCE.
As always feel free to reach out.
-onthesauce
1 Like
I am missing something still. I am pretty sure I see what the directory name is the file uploads too. Also I see that it prepends the file name before uploading it. What I can’t seem to find is the base directory so I can’t figure how to call the file so I can try to run the RCE on it. I cannot figure how to locate the directory on the server that is indicated to be the upload directory per the .php file. Thank you.
Ahhh I totally got stuck on the same thing.
Look at the source code again and think about this:
- What does
.do when traversing a Linux File System? - What directory did you get the file from?
That should help you get there.
-onthesauce
Ok, that helps I think… I am still struggling however. I am not 100% sure I understand where the file is going. But the other issue I have is that unless it a svg/jpg file I cannot get it to upload without saying only images are allowed. I thought by fuzzing the content/type and extensions I could get around this. I assume it is checking MIME type but the bypass I did earlier in the module doesn’t work (like adding GIF8 to the file). I tried adding magic header bytes as well but no luck yet. I am not sure if there is a way to get RCE to work as I need with the SVG file. I can use svg, as I said above, to extract data but can’t actually run any commands with it.
1 Like
Everything ended successfully!
I won this module!
Not without help and support from the forum!
Thank you all!!! In particular, -onthesauce
1 Like
I have been able to retrieve the php source code. etc/password as well. But /flag.txt doesn’t seem to exist. Am I missing something or is this machine messed up? I did have to go through about 20 machines until I could get consistent results with the same commands each time.
What a fun challenge. I really enjoyed chasing this one down!
Generally that error appears because the backend expects a image file and find php code instead.
Meaning you should probably try other types php extensions. It could be blocking or sanitizing the .php.jpg extension you are using.
I’ve have the same issue I suppose. It seems that the flag file doesn’t exist in the root “/” directory…
Could I have an hint? 
un Box. Hit a hard brick wall at figuring out where the file uploads to. For those trying to read flag.txt file with the XXE vuln, the flag is not named flag.txt as it usually is, to prevent you from reading it with said XXE vulnerability. There is however another important file you can read with XXE.
When you upload the image in the contact form, where is that being sent? What php form is being used to upload/rename/move that image?
Also if you are stuck trying to figure out how to bypass the image upload, I found this page helpful: List of file signatures - Wikipedia
1 Like
Hello
I can’t find a way to upload the payload on the app.
My current one gives me a 500 internal server error.
Is that a step forward ?
I am trying a XXE payload .
I got all the payloads right to bypass the filters. I am stuck on how to find where it is going to.
First do I look at the source code or try to use xml code reader?
Obs: Is it just me or sometimes you guys feels like the spawn machine does not work properly?
Found it, now just have to understand what this function is renaming my file 
Hi!
I think I understand how to move forward in the assessment but I don’t understand how to bypass the base64 so my commands never execute.
1 Like
Module completed. I found the link useful List of file signatures - Wikipedia to find out the signature that uses “jpeg”. I managed to find out what is the correct format of the webshell name thanks to the script provided by HTB Academy (adding the ‘.phar’ ‘.phtml’ extension to the script). When all the “shell.xxx.xxx” were uploaded, I checked with Burp Suite which of them interpreted the php code for me.
If anyone needs help, I’m here.
I did the same, but it didn’t work. What did I miss?
oli310
Hello
I want to ask you
I tried to solve skill assessment file upload
I changed to shell.phar.jpeg
The content to image/jpeg
File signsture to ÿØÿî
It’s uploaded
But I can’t find the path for upload directory ??
Can you help me please to solve this lab??
Thank you
Hello
I want to ask you
I tried to solve skill assessment file upload
I changed to shell.phar.jpeg
The content to image/jpeg
File signsture to ÿØÿî
It’s uploaded
But I can’t find the path for upload directory ??
Can you help me please to solve this lab??
Thank you
@Issagh HTB gives you a hint on how to locate the upload directory → “If you are unable to locate the uploaded files, try to read the source code to find the uploads directory and the naming scheme”. Therefore:
1). You must identify which PHP files are in the web application. You can use ffuf to find them.
2). When you find the PHP files, try to read them. One of them tells you the path. The “Limited File Uploads - XXE” section of the module tells you how to read PHP files.