Introduction
In this walkthrough, we covered file upload vulnerabilities and some techniques to get around them. We used TryHackMe Advent of Cyber 2 Day 2 / 2020 Christmas Chaos.
TryHackMe Advent of Cyber Challenge Description
After your heroic deeds regaining control of the control centre yesterday, Elf McSkidy has decided to give you an important job to do.
“We know we’ve been hacked, so we need a way to protect ourselves! The dev team have set up a website for the elves to upload pictures of any suspicious people hanging around the factory, but we need to make sure it’s secure before we add it to the public network. Please perform a security audit on the new server and make sure it’s unhackable!”
You listen to the briefing and accept the task, pressing the deploy button to start the server as you do so.
McSkidy once again gives you a dossier of useful information to help you with your task, which you read as you wait for the server to boot
Challenge Questions
- What string of text needs adding to the URL to get access to the upload page?
- What type of file is accepted by the site?
Bypass the filter and upload a reverse shell.
- In which directory are the uploaded files stored?
- Activate your reverse shell and catch it in a netcat listener!
- What is the flag in
/var/www/flag.txt?
Room Link
Bypassing File Upload Filters
I cover three main techniques that attackers use to get around these filters:
- Bypassing by Extension: This is a neat trick where you can fool a filter by adding an allowed extension (like
.png) after your malicious one (like.php). A lot of filters only check the very last extension, so they see the.pngand let the file through, even though it’s actually a malicious PHP script. The best way to stop this is to use regular expressions to check the entire file name for any blacklisted extensions. - Bypassing by Magic Numbers: Every file has a unique set of bytes at the very beginning called a “magic number” that identifies what type of file it is. Some filters will check these magic numbers to make sure a file is what it says it is. But, an attacker can just change the magic number of their malicious file to match an allowed file type, like a PNG, and bypass the filter.
- Bypassing by Content Type: This is where you use a tool like Burp Suite to intercept the HTTP request when you’re uploading a file. Even if you’re uploading a legitimate file, you can change the
Content-Typeheader in the request to a malicious type. If the server is only looking at this header to validate the file, it might let the malicious file through.
Practical Demonstration
To show you how this all works in the real world, I’ll walk you through a scenario from the “TryHackMe Advent of Cyber Day Two” challenge.
First, I find the upload page and take a look at the source code to see what file types are allowed. In this case, it’s image files like JPG, PNG, and GIF.
I start by uploading a regular JPG image just to make sure everything is working as it should. Then, I create a PHP reverse shell script and save it with a double extension: shell.php.jpg. This bypasses the filter because it only checks the last extension.
Next, I need to find where the uploaded files are stored, which turns out to be the /uploads directory. I then navigate to my uploaded shell file in the browser, which triggers the reverse shell and connects back to my Netcat listener.
Once I have a shell, I can look for the flag, which I find in /var/flag.txt.
Room Answers / Day 2
What string of text needs adding to the URL to get access to the upload page?
What type of file is accepted by the site?
Bypass the filter and upload a reverse shell.
In which directory are the uploaded files stored?
Activate your reverse shell and catch it in a netcat listener!
What is the flag in /var/www/flag.txt?
