HTB Academy: FILE UPLOAD ATTACKS - Skills Assessments

Wahoo, I finally got it: thanks to four letters… “phar” I didn’t think to fuzz the middle part of the webshell for all possible extensions, but without doing that this server returned errors to me when i sent the http GET to the malicious file. Off to do more learning about PHP file extensions. Big thanks to all those who provided help.

1 Like

I need help, I so tired. I read the source code of upload.php and you’re right, files are renamed with next way ./user_feedback_submissions/yymmdd_uploadedfilename but when i go to the url I get “Not Found”.

In this example I uploaded the image called image.jpg so if today is 29/09/22 my file should be stored in http://64.227.43.207:32493/contact/user_feedback_submissions/220929_image.jpg but it dosn’t work :frowning: .

Double check that your upload-directory is correct, and make sure you’re using the server time or alternatively, syn your local time with the server. The best way for you to get the server time is to intercept the request via burp and the capture the response and determine the server time from there. This happened to me when I was working the exercise. For example you might be thinking your current date is 22/09/30 whereas the server time is 22/10/01. Double check this and see if it resolves your issue. If not, reach back to me.

mclovin,
if you’re certain you have the correct upload directory, one more thing to check would be the difference between the Greenwich year and day and the local year and day and try the next calendar day in case the server time rolled past 2359 hours (midnight) GMT.

Where can find upload directory? In the javascript or in the html?

Fun Box. Hit a hard brick wall at figuring out where the file uploads to. For those trying to read flag.txt file with the XXE vuln, the flag is not named flag.txt as it usually is, to prevent you from reading it with said XXE vulnerability. There is however another important file you can read with XXE.

When you upload the image in the contact form, where is that being sent? What php form is being used to upload/rename/move that image?

Also if you are stuck trying to figure out how to bypass the image upload, I found this page helpful: List of file signatures - Wikipedia

How do you guys manage to read the source code of the upload.php file? any hint to me? I already uploaded image with malicious script but they all response a base64 encoded image.

Thanks @akorexsecurity for this. I’m getting some weird thigs happen, I can upload a malicious file, but then when I try and run any commands, example - &command=id , the server responds with “That URL isn’t available” - i’m going to refresh and try again tomorrow but super frustrating!

Edit: Manged to get it! That was super frustrating made 2 minor errors.

Also i couldn’t get http://xxx.xxx.xxx.xxxx:xxxx/contact/<upload-directory/yymmdd_xxxxx.phar.jpeg&command=id to work but substituting the & for ? did work

http://xxx.xxx.xxx.xxxx:xxxx/contact/<upload-directory/yymmdd_xxxxx.phar.jpeg?command=id