In this video walkthrough, we covered TryHackMe Upload Vulnerabilities room where we demonstrated methods and techniques to exploit file upload vulnerabilities in addition to bypassing upload filters such as using magic numbers, changing file extension and more.
The Complete Practical Web Application Penetration Testing Course
Introduction to File Upload Vulnerabilities
The ability to upload files to a server has become an integral part of how we interact with web applications. Be it a profile picture for a social media website, a report being uploaded to cloud storage, or saving a project on Github; the applications for file upload features are limitless.
Unfortunately, when handled badly, file uploads can also open up severe vulnerabilities in the server. This can lead to anything from relatively minor, nuisance problems; all the way up to full Remote Code Execution (RCE) if an attacker manages to upload and execute a shell. With unrestricted upload access to a server (and the ability to retrieve data at will), an attacker could deface or otherwise alter existing content — up to and including injecting malicious webpages, which lead to further vulnerabilities such as XSS or CSRF. By uploading arbitrary files, an attacker could potentially also use the server to host and/or serve illegal content, or to leak sensitive information. Realistically speaking, an attacker with the ability to upload a file of their choice to your server — with no restrictions — is very dangerous indeed.
File upload vulnerabilities occur when attackers can upload malicious files to a server without proper restrictions.The video is part of a series that walks through file upload techniques, explaining how to bypass both client-side and server-side filters. In this video, the focus is on client-side filtering and insecure sites.
Insecure File Upload Example
The first example demonstrates an insecure site where users can upload files without any validation or restriction.The attacker identifies an existing image file on the server (e.g., mountains.jpg) and replaces it by uploading a file with the same name. This allows them to bypass any checks and successfully upload their file.This technique helps attackers overwrite files on the server by exploiting poorly secured upload mechanisms.
Finding the Upload Path
The attacker needs to know the upload directory to access the malicious file they uploaded. They use tools like Gobuster or Dirbuster to discover the directory where uploaded files are stored.Once the upload directory is identified (e.g., resources), the attacker can upload a web shell (malicious file) and trigger it by accessing the correct path.
Bypassing Client-Side Filters
In many cases, websites implement client-side filtering to prevent the upload of specific file types. However, client-side filters are easy to bypass because they only work within the user’s browser and are not enforced server-side.The attacker uses Burp Suite to intercept the upload request and modify the file extension or MIME type (e.g., changing a .php file to .png) to bypass the client-side filter.
Uploading a Web Shell
The attacker creates a simple PHP web shell to execute commands on the server. After changing the file extension to bypass the filter, they intercept the upload request using Burp Suite.They then modify the file’s MIME type back to .php during the upload process, allowing the PHP shell to be executed on the server.
Conclusion
After successfully uploading the malicious file, the attacker navigates to the upload path to trigger the shell and gain command execution on the server.They attempt to establish a reverse shell connection, but if tools like Netcat are unavailable on the server, they switch to using alternative methods (e.g., using Pentest Monkey scripts).
Upload Vulnerabilities TryHackMe | Room Answers
What is the name of the image file which can be overwritten?
Run a Gobuster scan on the website using the syntax from the screenshot above. What directory looks like it might be used for uploads?
(N.B. This is a good habit to get into, and will serve you well in the upcoming tasks…)
Get either a web shell or a reverse shell on the machine.
What’s the flag in the /var/www/ directory of the server?
What is the traditionally predominant server-side scripting language?
When validating by file extension, what would you call a list of accepted extensions (whereby the server rejects any extension not in the list)?
[Research] What MIME type would you expect to see when uploading a CSV file?
What is the flag in /var/www/?
What is the flag in /var/www/?
Grab the flag from /var/www/
Hack the machine and grab the flag from /var/www/
Video Walkthrough
