Glad you got it man!
did you get that “oh duh, now i remember and that makes sense” feeling like i get adter struggling and making things harder on myself when actually they are a lot eaier than i’m making them.
either way the important thing is not giving up and keep moving forward.
Also don’t try to rush through it, several times i made that mistake and had to go back through them.
I solved the exercise by changing the “Content-Type:” and adding the same MIME “GIF8” as indicated by the HTB Academy module. After that I used the word list generated by the bash script from the previous section “Whitelist Filters” where I added ‘.phar’ and ‘.phtml’ in the script:
With Burp (Intruder) you will find several correct options.
2 Likes
Hi Ezio thanks for the tip!
I was also getting the error message that there was something wrong with my image:
the image “SNIP/shell.jpg.PhP” cannot be displayed because it contains errors.
Is there someone who can explain to me why this errors comes up? I still dont quite understand the logic behind it and I would like to know why.
did you try mime?
Get the shell uploaded but cant get to the directory by cd … to get the flag. Any Idea ?
*Solved
The phpbash is not working for this one. I now used the shell from the section. That worked 
1 Like
http://xxx.xx.xxx.xxx:xxxxx/profile_images/shell.png.phar?cmd=id
You sholuld add extension .png.phar when fuzzing , Because .phar can execute on server back-end
find / -type f -name flag.txt -exec cat flag.txt {} ; 2>/dev/null
for read the flag.txt
2 Likes
If someone have a problem solving the lab feel free to visit my github repository (GitHub - GaboLC98/File-upload-vulnerability-abuse) where I’m writing a tool that help to abuse the file upload vulnerability.
After use it, be sure to understad what was your mistake. The payloads are shown to the user
1 Like
You specified a GIF but named it a png file.
You uploaded the shell to the server that means you were able to bypass both blacklist and whitelist filters. Now if you refer the Whitelist Filters section on the academy there was an example which explained how server determines which files to allow PHP code execution. In that example any file that contained .php, .phar, .phtm extensions were allowed PHP code execution.
However maybe the scenario of this exercise is a bit different, maybe here the position matters and server is not allowing PHP code execution of files that JUST contain the above mentioned extensions.
Hello, you are doing well, now remember that you can change the position of the extensions to see if that is the case and in the module it says that Gif is the best option, it is great that you used phar only now the order is what is causing the error.
Process
*Identifies which files can be uploaded (Use the extension from the previous challenge)
*MIMME
dir /
This helped me out so much. You’ve been clutch this whole module @onthesauce.
Just needed to thank you.
Anyone still struggling, if it helps, write the 3 different methods down on a sheet of paper, and put it in front of you ( from the whitelist section ). Try all 3 methods to read the flag
This is for those who bypassed the blacklist & were able to upload the file to the server.
1 Like
I don’t understand, If you successfully uploaded the file, doesn’t that mean you bypassed the whitelist and blacklist? I’m getting the error that the fie has errors. Can you elaborate?
Hey! From what I remember about this issue, you might not be bypassing the whitelist. There were files that seemed like they made it through the whitelist, but weren’t being executed right on the backend.
I would follow @CodeWidthMe’s suggestion above and try all the whitelisting methods till you find the one that works. It sounds like you are getting the files onto the server, but they aren’t executing.
The backend server is confused when trying to execute your file. It reads the file extension and contents then executes accordingly. As an example, lets say that you put the following text in two files: <?php system($_GET['cmd']); ?>
And your two files are:
shell.php
shell.jpg
When the server calls on shell.php it is going to read the file extension and try to execute the php code within. In that case it will be successful because the file is filled with php code.
However, when the server reads the shell.jpg file it is going to expect an image file. When it reads the php code within, it will display that the file has errors because it is trying to display an image with php code.
This could also hold true if you haven’t found the right php extension. So try all the combos till one works.
-onthesauce
1 Like
Ok, I think I understand. The only thing in the whitelist filter module that seems relevant is which php extension does the web app allow to run php code, but I’ve tried em all and none worked… phar,phtml, pHp5.
I’ve even tried changing the bytes to jpg, png finally got it, if you’re stuck try switching the orderering of the extensions… re reading the Whitelist filter section did help thank you onthesauce!
1 Like
Sorry for the MIA @everyone, just finished up the CBBH exam
@Neurosploit -->> so that extension provided what you needed interms of response, so you used it - understandably.
However, it isn’t the only one that worked.
you mentioned you tried the other ones as well.
can you provide a screenshot of the post request with those they you tried?
might be tedious but we want to help you.
I’m assuming you tried
shell.sample1.sample2
shell.sample2.sample1
sample being the extension type, for example:
phar would be sample1 in this case.
so → another example:
shell.phar.sample2?
you’re so close don’t give up, take a step back if you need a breather, going down the rabbit hole sometimes leads you further away when you just missed the turn to make it to the destination.
look forward to hearing back from you!
@kagebunshi made a good point in their suggestion as well!!
Hi, I can’t move forward from this submodule and I really don’t understand where I am wrong?
In picture 1 is everything ok, found what extension I can use. In picture 2 I add .php shell and after that I get
“Only images are allowed”. What am I not seeing?
