Post

Hackthebox Academy File Upload Walkthrough

Questions walkthrough

Posted
Preview Image
By Hitesh Sharma
7 min read
Hackthebox Academy File Upload Walkthrough

# Basic Exploitation

Absent Validation

Question 1 :- Try to upload a PHP script that executes the (hostname) command on the back-end server, and submit the first word of it as the answer.
Answer :- ng-9##################################

  • when we visit our exercise http://<machine-ip>:port/.
  • as the index page is usually hidden by default. But, if we try visiting http://SERVER_IP:PORT/index.php, we would get the same page, which means that this is indeed a PHP web application .
  • Several other techniques may help identify the technologies running the web application, like using the Wappalyzer extension.

Image

  • Now that we have identified the web framework running the web application and its programming language, we can test whether we can upload a file with the same extension. As an initial test to identify whether we can upload arbitrary PHP files and it got uploaded .
  • which means that the web application has no file validation whatsoever on the back-end .

Image

  • after that when we click on the download button the web application will take us to our uploaded file , where we can execute commands , as we uploaded web-shell php script , and now we can grab hostname that is required to solve this challenge.

image

Upload Exploitation

Question 1 :- Try to exploit the upload feature to upload a web shell and get the content of /flag.txt.
Answer :- HTB{g0##################}

  • as previously dicussed we can upload php shell , it can be reverse shell , web shell etc…
  • now we can search for the flag.txt file from the webshell.

Image

  • and then we can read the flag .

Image

# Bypassing Filters

Client-Side Validation

Question 1 :- Try to bypass the client-side file type validations in the above exercise, then upload a web shell to read /flag.txt (try both bypass methods for better practice).
Answer :- HTB{cl###########################}

  • The exercise at the end of this section shows a basic Profile Image functionality, frequently seen in web applications that utilize user profile features, like social media web applications:

Image

  • but we can click [CTRL+SHIFT+C] to toggle the browser’s Page Inspector, and then click on the profile image, which is where we trigger the file selector for the upload form .

<input type="file" name="uploadFile" id="uploadFile" onchange="checkFile(this)" accept=".jpg,.jpeg,.png">

  • we see that the file input specifies (.jpg,.jpeg,.png) as the allowed file types within the file selection dialog.

Image

  • If we capture the upload request with Burp, we see the following request being sent by the web application:
  • The web application appears to be sending a standard HTTP upload request to /upload.php. This way, we can now modify this request to meet our needs without having the front-end type validation restrictions. If the back-end server does not validate the uploaded file type, then we should theoretically be able to send any file type/content, and it would be uploaded to the serve
  • The two important parts in the request are filename=”HTB.png” and the file content at the end of the request. If we modify the filename to new.php and modify the content to the web shell we used in the previous section; we would be uploading a PHP web shell instead of an image.

Image

Note: We may also modify the Content-Type of the uploaded file, though this should not play an important role at this stage, so we’ll keep it unmodified.

  • As we can see, our upload request went through, and we got File successfully uploaded in the response. So, we may now visit our uploaded file and interact with it and gain remote code execution.
  • now as previously done , we will search for the flag.txt file .

Image

  • and then we will get our required flag .

Image

Blacklist Filters

Question 1 :- Try to find an extension that is not blacklisted and can execute PHP code on the web server, and use it to read “/flag.txt”.
Answer :- HTB{1_#######################}

  • one of the client-side bypasses we learned in the previous section to upload a PHP script to the back-end server. We’ll intercept an image upload request with Burp, replace the file content and filename with our PHP script’s, and forward the request.

Image

  • As we can see, our attack did not succeed this time, as we got Extension not allowed. This indicates that the web application may have some form of file type validation on the back-end, in addition to the front-end validations.

There are generally two common forms of validating a file extension on the back-end:
1. Testing against a blacklist of types
2. Testing against a whitelist of types

  • Furthermore, the validation may also check the file type or the file content for type matching. The weakest form of validation amongst these is testing the file extension against a blacklist of extension to determine whether the upload request should be blocked.
  • As the web application seems to be testing the file extension, our first step is to fuzz the upload functionality with a list of potential extensions and see which of them return the previous error message. Any upload requests that do not return an error message, return a different message, or succeed in uploading the file, may indicate an allowed file extension.
  • There are many lists of extensions we can utilize in our fuzzing scan. PayloadsAllTheThings provides lists of extensions for PHP and .NET web applications. We may also use SecLists list of common Web Extensions.
  • We may use any of the above lists for our fuzzing scan. As we are testing a PHP application, we will download and use the above PHP list. Then, from Burp History, we can locate our last request to /upload.php, right-click on it, and select Send to Intruder. From the Positions tab, we can Clear any automatically set positions, and then select the .php extension in filename=”HTB.php” and click the Add button to add it as a fuzzing position:

Image

  • as i see, i got so many 200 and file successfully uploaded

Image

  • but when i am testing those file , none of them are working which even showinf 200 status code .

Image

  • so i decided to test them one by one , and i got hit .

Image

  • and i got hit , and then i grab the flag from the webshell i uploaded .

Image

Whitelist Filters

Question 1 :- The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read “/flag.txt”.
Answer :- HTB{1_##############}

  • Conjuction with Reverse Double Extension there another method of bypassing a whitelist validation test through Character Injection. We can inject several characters before or after the final extension to cause the web application to misinterpret the filename and execute the uploaded file as a PHP script.
  • Each character has a specific use case that may trick the web application to misinterpret the file extension. For example, (shell.php%00.jpg) works with PHP servers with version 5.X or earlier, as it causes the PHP web server to end the file name after the (%00), and store it as (shell.php), while still passing the whitelist. The same may be used with web applications hosted on a Windows server by injecting a colon (:) before the allowed file extension (e.g. shell.aspx:.jpg), which should also write the file as (shell.aspx). Similarly, each of the other characters has a use case that may allow us to upload a PHP script while bypassing the type validation test.
  • We can write a small bash script that generates all permutations of the file name, where the above characters would be injected before and after both the PHP and JPG extensions, as follows:

Image

  • now as previously discussed , we sent the post request to intruder and set all the like before and start the atack .

Image

  • and then we got hit ( we can filter out the result based on string , by going to setting(1) and then setting the string )

Image

  • now we can go the path where we have uploaded the file and get our flag .

Image

Whitelist Filters

Question 1 :- The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read “/flag.txt”.
Answer :- HTB{1_##############}

……………..Coming-Soon……………………….

Walkthrough
Hackthebox CPTS Active Directory Enumeration Questions Answer File-Upload Attacks CBBH
This post is licensed under CC BY 4.0 by the author.