HTB Academy: FILE UPLOAD ATTACKS - Skills Assessments

Help!!! I’m pulling my hair out with this and not sure where to go next. I’ve got what I think are the allowed extensions (the PHP ones) and I know what the allowed Mime Types and image extensions are. But,

I cannot upload a web shell.
Even if I could I cannot read any source files to tell me where the uploads directory and what the file name convention is.

Appreciate a nudge on this if anyone can help. :roll_eyes: :roll_eyes: :roll_eyes:


Once again I persisted and cracked it. But that was quite tesitng.

1 Like

I have a question I for the upload.php file I see what they do to store the file. I did that and then I got a broken image on the burpsuite return. I found mulitple extensions that work. Nothing is allowing me to store the fire. Can you point me in the right direction?

Have you managed to read the source code of the file? It tells you everything you need to know…

Yeah it was the meaning of “.” That got me and I also over analyzed the mod of the file as far as how to create it when you store it.

i’m stuck, how do i find the source code? is it “/contact/script.js”?

Which section are you stuck on?

Hi, can I ask your help?

Sure what’s up?

I got the php source codes and I think that I have to work with svg image to get the flag, but I can’t reach the uploaded file.
I tried with a regular jpg to find the correct location but nothing. I know that the filename will be modified before storing and there’s a special folder, I suppose it’s triggering me the “./”. Help me

You need to read the source code of upload.php. That tells you what the filtering is doing, how the file is renamed and where it is located on the server.

I did it.
Understood the rename process (date…), the filtering but I can’t understand the path ‘./upl*********/’, cause there’s the dot at the beginning

Can I get an assist or a hint from someone to help me understand what I’m doing wrong or don’t understand about the webshell/reverse shell needed to browse the directories? I’ve been chasing info for 3 days and have read a bunch of info and tried several techniques to upload the webshell within the blacklist/whitelist/content filter rules. I’ve successfully found the downloads directory and can access the files I place there. I read the file that has the filtering and can read individual files on the webserver such as /etc/passwd. I found a XXE vulnerability, and can read individual files on the server if I know the name, but I can’t seem to get a working script or webshell that lists directories. I’ve tried using the msfvenom reverse shell and I’ve tried javascript and the examples in the earlier part of the module to no avail. Any assist is appreciated to help drag me across the finish line. This one is definitely challenging.

Have you managed to find the flag file in the root directory? The challenge doesn’t require a reverse shell, just to read a file. There may be other reasons why a reverse shell doesn’t work unrelated to the task.

If I knew the name of the flag file, I would use the XXE vulnerability to read it. The problem is, I don’t know the name of the flag file and I have not been able to find a successful webshell to display the files in the root directory. Attempting to substitute isn’t working, but the example for individual files such as works just fine. I’m at a loss

Is the file not just called flag.txt? That’s what it’s been called in every other module I did. I’m sure from my recollection of doing this part that I didn’t need to get a reverse shell to be able to get the flag. Let me know if you still have problems and I’ll fire up the instance and see if I can go back through it.

I’m definitely not finding a /flag.txt file by modifying the XXE script from file:///etc/passwd to file:///flag.txt the hint says to find the flag in the root directory. Thank you for the assistance on this. I wasn’t expecting such a difficult sequence in an academy module.

You’re all on the right path if you found xxe injection to read source codes,

  • /contact/upload.php
    —> note the directory user’s feedback will be uploaded
    —> Note how uploaded files are renamed (yymmdd_uploadedfilename)
    You can first upload non-malicious jpg file, then check the intended directory with the above name structure to see if your uploaded image will show up.

After that, you can create a malicious jpeg file with php code embedded and you should be able to get RCE
find / -type f -name “*.txt” -exec ls -lh {} ; 2>/dev/null should work for you locating the flag.


akorexsecurity, Thank you for the post, as you can see, i’ve been at this for almost a month.
I have corrected my first mistake and took me way to long to figure out that you can’t copy/paste magic bytes from the Wikipedia page listed in the resources for this module. Pasting those “magic bytes” characters into a nano editor doesn’t write the correct hex bytes and the MIME-check fails… At least i’ve solved stupidity error #1. I double-checked my webshell MIME type using an external checker and i’ve got that sorted. The last problem i’m having is that when I retrieve the file from the upload location, i’m just getting the b64-encoded file instead of the results of what my malicious PHP will output. Maybe jpg won’t work in this case. I’m going to try some other extensions for the xxe.

drip_2000, I totally understand where you’re coming from. The work around for me duh was uploading legitimate jpeg file, intercept with burp and sent it to repeater. From there I deleted every other line after the jpeg magic bytes except the form boundary “-----------------------------77364754343434” and replaced it with <?php system($_GET["command"]);?>. Don’t tamper with the original content type and try filename xxxxx.phar.jpeg and send it.

Also you can use hexeditor to modify any file of your choice. In this case, we could use that for magic bytes modification. " hexeditor <file.ext>" Then replace the first few HEX to replace your magic bytes

Now go to the directory<upload-directory/yymmdd_xxxxx.phar.jpeg&command=id

To locate the flag:
find / -type f -name “*.txt” -exec ls -lh {} ; 2>/dev/null

The output might be messy but you can use ctrl + u to view the source code which will print every output on newline and you will be able to see the flag name

cat flagname.txt