Glad you got it man!
did you get that “oh duh, now i remember and that makes sense” feeling like i get adter struggling and making things harder on myself when actually they are a lot eaier than i’m making them.
either way the important thing is not giving up and keep moving forward.
Also don’t try to rush through it, several times i made that mistake and had to go back through them.

I solved the exercise by changing the “Content-Type:” and adding the same MIME “GIF8” as indicated by the HTB Academy module. After that I used the word list generated by the bash script from the previous section “Whitelist Filters” where I added ‘.phar’ and ‘.phtml’ in the script:

With Burp (Intruder) you will find several correct options.


Hi Ezio thanks for the tip!
I was also getting the error message that there was something wrong with my image:
the image “SNIP/shell.jpg.PhP” cannot be displayed because it contains errors.

Is there someone who can explain to me why this errors comes up? I still dont quite understand the logic behind it and I would like to know why.

did you try mime?

Get the shell uploaded but cant get to the directory by cd … to get the flag. Any Idea ?

The phpbash is not working for this one. I now used the shell from the section. That worked :slight_smile:
You sholuld add extension .png.phar when fuzzing , Because .phar can execute on server back-end

I’m stuck too

find / -type f -name flag.txt -exec cat flag.txt {} ; 2>/dev/null
for read the flag.txt