Tryhackme Walk-through Room — Upload Vulnerabilities
I will be skipping most of the room in this walk-through and documenting the last challenge (Task 11)
Hints link:
Video walk-through:
Once we navigate to the site, we will be presented with our file upload option
If we cat out the file they gave us, it looks to be a list of possible extensions
Looks like there are some restrictions we need to take note of
We need a file that not only has a jpg extension, but also the magic number is jpg. Also the size needs to be less then 400 KB
Quick Google search will give us the correct hex code we need
Also running xxd against a jpeg file, produces the same results
Running a dirsearch finds a few interesting directories
Running a gobuster scan looking for jpg extensions finds a few files
Browsing to one of the files, shows us that we should be in the correct directory
We shall see if it worked
If we browse to the Admin directory, we will find a way to execute our file
Since my uploaded file doesn’t seem to execute correctly, we may need to use a different payload. If we use Wappalyzer (which can be downloaded from addons.mozilla.org), we see that it’s running Node.js
If we go to PayloadAllTheThings Github, there is a Node.js payload:
We will use this option, and just change our IP and port
Now that we have everything set up, lets try uploading the file again, re-running gobuster so we can find out file and then execute it
Prior to upload
After upload
Since this still isn’t working, we probably need to delete the JavaScript code (also keep the name as shell.jpg, but remove the hex encoding), so to do this, lets launch Burpsuite (also start a netcat session on the port you specified in the shell.png (JS) file.
Upload the shell file, then Forward the request until you get to the following:
Once you forward the request after selecting the Response option, you will see a background item that you need to Forward, then the JS code
Delete all 3 sections, and Forward the request on
Now upload the file again, and re-scan via gobuster, you will see a new file
After you press enter, if you don’t see the spinning circle, it means your netcat session didn’t connect
Answer: THM{NzRlYTUwNTIzODMwMWZhMzBiY2JlZWU2}
Lessons Learned/Remediations:
- The file upload protection measures were good, but because the code was client-side and not server-side, it meant that the user can delete the code and bypass the protection measures
- Never trust user supplied input, always sanitize uploaded files via server-side code scanning, and make sure to store any uploaded files in a directory not on the web server
