Skills Assessment - File Upload Attacks

I stuck on the Skills Assessment - File Upload Attacks.
I don’t find the File Path. Please can someone help me?
thx

Hey!

I recommend using one of the methods they mentioned to grab the source code of the web functions/pages.

DM me if you need a bigger nudge!
-onthesauce

1 Like

I can upload what I want, so far so good. Is there are possibility to get to the source code of the upload script? Doing everything blindly did not give me any result so far.

It is possible, in fact I would say it is crucial. Doing so uncovers important information surrounding the whole process.

I recommend going through the upload process a few times normally and observing how it works. I spent a few minutes just uploading legitimate files to see each step in the process. Although, it sounds like you have done so already. As always feel free to DM me.
-onthesauce

1 Like

Hello,
Can anyone help me? I am block.
I can’t find the file path. :confused:
Thx,

Have you found a way to get the source code?
-onthesauce

Hey! I understand correctly that in order to read the source code you need to download the .svg file and implement XXE? Can’t load svg. What am I doing wrong?

If I remember correctly you need to upload an .svg file that will read you the source code. My memory is fuzzy on this though.

I am stuck on uploading .svg file. How to upload it? is there .svg file bypass methods?

if anyone is having a hard time uploading the svg file to read the source code you can use this script to fuzz for extensions

#!/bin/bash
for ext in ‘.svg’ ‘.php’ ‘.phps’ ‘.php8’ ‘.php7’ ‘.php5’ ‘.php4’ ‘.php3’ ‘.php2’ ‘.pht’ ‘.phar’ ‘.phpt’ ‘.pgif’ ‘.phtml’ ‘.phtm’; do
echo “shell.jpg$ext” >> php_whitelist_wordlist_small.txt
echo “shell$ext.jpg” >> php_whitelist_wordlist_small.txt
echo “shell$ext” >> php_whitelist_wordlist_small.txt
done

also if you don’t know php very well like me you can use this and run snippets of code,

" echo $variable; " is good to see the output of how they are constructing strings

if anyone is still having a issue you can feel free to dm me

I’ve been able to upload my file and find where it is being stored but I need a hint on actually accessing that file…

Read the source code for upload.php carefully. The file is modified before storing.

No matter what extension(s), content-type I try, I’m can’t seem to get past, “Only images are allowed.” Someone today told me they successfully uploaded the file using shell.phar.jpeg, but it won’t work for me. What am I missing?

Hi, I’m stuck with this assigment. I’ve discovered, allowed extensions, content-type, and magic number but when I use the payload to read upload.php file’s contents I get my payload base64 encoded as a response in all cases. Please, can anyone help?

I read the source code, I can even view the uploaded jpeg image, but cant run commands

I thought of an approach, just guide me whether I am correct or not…
I would first try to upload an .svg file with a XXE script which would give me the source code of the “submit.php” which is the page we get redirected to by default.
Then after using that source code I would get the path where the files are being uploaded.
Finally I would upload a .php shell and gain RCE to get the “flag”.

Please help if I am thinking the right way.

whenever i try to upload the svg file i get an internal server error. None of the magic bytes seem to work either

I was getting this too, until I switched to PwnBox - then I got it first try. It must be something about my home network that’s messing with the request…