HTB Academy: FILE UPLOAD ATTACKS - Skills Assessments

There is a difference between submitting the form and uploading a file. Use burp or just have a look to the network tab with your browser dev tools

Anyone got any tips? @pavka and @akorexsecurity got me close but for some reason I cannot access the uploaded image (malicious or legit) I keep getting the Not Found page.

URL path is: IP:PORT/contact/user_feedback_submissions/20240530_product_logo_48.png

even tried 20240531_product_logo_48.png with no luck

check what y is for PHP date format. it’s different from ‘Y’… :))

Thank you, I already finished it but you are exactly right haha thats what I was stuck on. Couldn’t believe it when I figured it out too lol

excellent. that one wasn’t that hard but required us to sit down and do things properly for an hour or two yes. enjoy the rest of the journey!