This final task in the TryHackMe Upload Vulnerabilities room is a practical challenge simulating real-world conditions. Users must leverage everything learned previously to successfully exploit an upload form, obtain a reverse shell, and capture a flag. It emphasizes comprehensive understanding and execution of file upload bypass techniques.
Reconnaissance with Gobuster
The process begins with directory enumeration using Gobuster, identifying critical folders such as admin (used for triggering uploaded scripts) and content (possibly storing uploaded files). This recon phase is essential for navigating and interacting with the backend file structure.
Initial File Upload Testing
The user uploads benign image files (e.g., JPGs) to test which file types and extensions are allowed. Though uploads report success, the exact filename remains obfuscated, prompting further investigation via browser dev tools and repeated scanning.
Understanding File Upload Filter
Several filters prevent unauthorized file types:
- Client-side filters: Block certain files based on extension and size before submission.
- Server-side filters: Validate files based on file extension, magic number, and potentially content.
These protections aim to stop code execution via uploaded files.
Bypassing File Upload Filters
The user attempts to alter the reverse shell payload to meet the acceptance criteria:
- Changes the file extension to
.jpg - Alters the magic number at the beginning of the file to match JPG signature (
D8 FF) - Uses Burp Suite to intercept and manipulate requests
Initial attempts using just extension and magic number changes allow upload, but not execution—indicating deeper protections.
Disabling Filtering Mechanisms
Discovering that client-side filtering is enforced via folders (like assets, modules), the user bypasses these by disabling related JavaScript functions. Manual intervention in the script further disables magic number and extension checks using comment-out techniques in Burp Suite.
Payload Construction and Execution
A reverse shell script in Node.js is customized with the attacker’s IP and port. After successful upload, its name is retrieved via Gobuster. Execution through the admin interface is attempted using the precise path (content/filename). This triggers a listener on the attacker’s machine and establishes a shell.
The reverse shell confirms successful execution. Commands like ls, cat, and cd are used to navigate to the flag, completing the challenge. The narrator explains the importance of understanding when to bypass filters vs. disabling them entirely.
