HTB Academy: FILE UPLOAD ATTACKS - Skills Assessments

Hi All,

Just wondering if someone could point me in the right direction - I think I’m on the cusp of finishing the task but am stuck with uploading a web shell to the final location and getting it to run.

When I navigate to the location and access the file I’ve uploaded I get the dreaded cannot open file as it contains errors.

Below are the steps I’ve managed to complete:

  • obtain the code to understand the upload process
  • I know the location for where files are dropped.
  • validation of both allow/block lists for extensions.
  • validation of MIME and Content-Type

Can get a filename through but having the issues of getting the file correct in order to be able to perform RCE to obtain final flag

Just looking for pointers if anyone can help…

Text me, I will support you!

Thanks @Satellite for the offer. I managed to work it out :slight_smile:

how did you work it out, i am pretty much in the same boat and for the life of me thinking what is wrong, i can pretty much gran any file. Bath seems i am just lost with the location of the flag itself

Esssai d’ouvrir un .bat avec le fichier a erreur en l’ouvrant sous un autre format tu pourras le lire et essayer de trouver tes erreurs

I would try uploading a legit image file and see how it gets processed at each step. Notice that its a two step process. Think XXE. Feel free to DM me if you need a bigger push.
-onthesauce

I managed to catch the flag, thank you #onthesauce for the support :vulcan_salute:

you are on the right track with all the steps you mentioned. for the file type look at the upload.php file it should tell you the blacklisted php extensions.

The uploaded file is stored in the folder mention in the upload.php. There is some renaming done before storage. That what you really need to understand to know the location of your uploaded file.

Hint: date('ymd) …

[So do you have to find where the images go? i found the js file which tells you the extensions that are allowed. Through burp suite I found different extensions that can work I just don’t know who I can run the payload to get it to work. Any help?

if you found the extensions that are allowed, try uploading one that you can run using a bypass. Hint something.something<x\00>.<allowed_extenstion>. jpg worked for me.

Pay attention to onthesauce note, its two step process. But if you already have the php file, and are able to upload bypassing the filters. The rest is straightforward

DM for more help

Hi everyone!

I cannot manage to find the upload source code using xxe vulnerability within a svg file. The svg file won’t upload, or it’s been uploaded but the code is not correct :slight_smile:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>

Any hint please ?

do you have “uploas.php” file? maybe it would be “uploads”?

My finger slipped sorry. It’s “/contact/upload.php” which is indicated in the script.js.
But is Client-side validation bypass is enough to upload the xxe svg file ?

Did you look at the source code of the web page after uploading but prior to submitting the form? This part should be very similar to the Limited Uploads section.

DM with your burp screenshot prior to upload if you need more help. But what you have above should be fine.
-onthesauce

Thank you for the tips, I was indeed too much focusing after the submitting. I will try it if only targets system would last more than 30s. Kinda annoying.

No problem!

What do you mean it is only lasting 30s? I have heard a few people mention that, do you mean you launch the target server, run an attack and find that you cannot ping that IP? Or is it something with the pwnbox? Any errors?
-onthesauce

I just made the following :

I click on the link to spawn the target then I launch my instance
I wait 30s/1min
When I enter the target link on my browser I get a “Unable to connect”

The target disconnects by itself without any attack or file upload

Hmmm, that is strange, I know some machines I have had to wait up to 5-10 minutes for it to initialize. I think it depends on the load on the servers and which exercise you are doing. If it has to do a lot of background work then it might take longer to build and setup. Even if it gives you an IP address, that may not mean that it is actually ready.

Next time that happens, give it 5 more minutes and see if it just needed more time. Remember which exercises it happened on. I think a lot of the Wordpress servers took a long time to setup.
-onthesauce

I got the upload.php using XXE , but the problem is i can’t by pass the filter . I do not understand the regex behind the whitelist … Can someone help me out

i’m going to be honest and say i’m stuck on all of it and can’t seem to move forward even a little bit. i clearly see there is client side whitelist.
i also figured out it vulnerable to imagetragic vulnerability which tell me a sleep based svg / xxe is possible, i just cant seem to get anything to work. My fuzzing or extensions and content types come up empty. So i thought maybe i need to go through the modules again… but as i started them i realized i could easily beat each one. idk…just needed to get this out there…going to keep trying of course.