In this video walkthrough, we covered TryHackMe Upload Vulnerabilities room where we demonstrated methods and techniques to exploit file upload vulnerabilities in addition to bypassing upload filters such as using magic numbers, changing file extension and more.
The Complete Practical Web Application Penetration Testing Course
The ability to upload files to a server has become an integral part of how we interact with web applications. Be it a profile picture for a social media website, a report being uploaded to cloud storage, or saving a project on Github; the applications for file upload features are limitless.
Unfortunately, when handled badly, file uploads can also open up severe vulnerabilities in the server. This can lead to anything from relatively minor, nuisance problems; all the way up to full Remote Code Execution (RCE) if an attacker manages to upload and execute a shell. With unrestricted upload access to a server (and the ability to retrieve data at will), an attacker could deface or otherwise alter existing content — up to and including injecting malicious webpages, which lead to further vulnerabilities such as XSS or CSRF. By uploading arbitrary files, an attacker could potentially also use the server to host and/or serve illegal content, or to leak sensitive information. Realistically speaking, an attacker with the ability to upload a file of their choice to your server — with no restrictions — is very dangerous indeed.
The purpose of this room is to explore some of the vulnerabilities resulting from improper (or inadequate) handling of file uploads. Specifically, we will be looking at:
- Overwriting existing files on a server
- Uploading and Executing Shells on a server
- Bypassing Client-Side filtering
- Bypassing various kinds of Server-Side filtering
- Fooling content type validation checks
So, we have a file upload point on a site. How would we go about exploiting it?
As with any kind of hacking, enumeration is key. The more we understand about our environment, the more we’re able to do with it. Looking at the source code for the page is good to see if any kind of client-side filtering is being applied. Scanning with a directory bruteforcer such as Gobuster is usually helpful in web attacks, and may reveal where files are being uploaded to; Gobuster is no longer installed by default on Kali, but can be installed with sudo apt install gobuster. Intercepting upload requests with Burpsuite will also come in handy. Browser extensions such as Wappalyser can provide valuable information at a glance about the site you’re targetting.
With a basic understanding of how the website might be handling our input, we can then try to poke around and see what we can and can’t upload. If the website is employing client-side filtering then we can easily look at the code for the filter and look to bypass it (more on this later!). If the website has server-side filtering in place then we may need to take a guess at what the filter is looking for, upload a file, then try something slightly different based on the error message if the upload fails. Uploading files designed to provoke errors can help with this. Tools like Burpsuite or OWASP Zap can be very helpful at this stage.
Room Answers
What is the name of the image file which can be overwritten?
Run a Gobuster scan on the website using the syntax from the screenshot above. What directory looks like it might be used for uploads?
(N.B. This is a good habit to get into, and will serve you well in the upcoming tasks…)
Get either a web shell or a reverse shell on the machine.
What’s the flag in the /var/www/ directory of the server?
What is the traditionally predominant server-side scripting language?
When validating by file extension, what would you call a list of accepted extensions (whereby the server rejects any extension not in the list)?
[Research] What MIME type would you expect to see when uploading a CSV file?
What is the flag in /var/www/?
What is the flag in /var/www/?
Grab the flag from /var/www/
Hack the machine and grab the flag from /var/www/
Video Walkthrough
