HTB Academy: FILE UPLOAD ATTACKS - Skills Assessments

Help!!! I’m pulling my hair out with this and not sure where to go next. I’ve got what I think are the allowed extensions (the PHP ones) and I know what the allowed Mime Types and image extensions are. But,

I cannot upload a web shell.
Even if I could I cannot read any source files to tell me where the uploads directory and what the file name convention is.

Appreciate a nudge on this if anyone can help. :roll_eyes: :roll_eyes: :roll_eyes:


Once again I persisted and cracked it. But that was quite tesitng.

1 Like

I have a question I for the upload.php file I see what they do to store the file. I did that and then I got a broken image on the burpsuite return. I found mulitple extensions that work. Nothing is allowing me to store the fire. Can you point me in the right direction?

Have you managed to read the source code of the file? It tells you everything you need to know…

Yeah it was the meaning of “.” That got me and I also over analyzed the mod of the file as far as how to create it when you store it.

i’m stuck, how do i find the source code? is it “/contact/script.js”?

Which section are you stuck on?

Hi, can I ask your help?

Sure what’s up?

I got the php source codes and I think that I have to work with svg image to get the flag, but I can’t reach the uploaded file.
I tried with a regular jpg to find the correct location but nothing. I know that the filename will be modified before storing and there’s a special folder, I suppose it’s triggering me the “./”. Help me

You need to read the source code of upload.php. That tells you what the filtering is doing, how the file is renamed and where it is located on the server.

I did it.
Understood the rename process (date…), the filtering but I can’t understand the path ‘./upl*********/’, cause there’s the dot at the beginning