A major event happened in my life over the past 2 months, which is why I haven’t been able to keep up with posting write-ups on my blog. But just because I haven’t written anything for a while doesn’t necessarily mean that I haven’t been studying. On a positive note, I got a job as a Cybersecurity specialist! While my current role doesn’t involve pentesting, which is a bit of bummer, It’s still an amazing opportunity to expand my skills and expertise in this field that I love. I already have learned a ton and I am excited to keep growing and hopefully get involved in pentesting in the near future.
Lab: Remote code execution via web shell upload
This lab contains a vulnerable image upload function. It doesn’t perform any validation on the files users upload before storing them on the server’s file system.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the content of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
This is the main page of the Lab
If we click on view post, we can see we have a functionality to upload files at the bottom of the page
Or if we click on My account and login with the provided credentials wiener:peter, upload functionality is also available there.
First, I chose a cat image file that was available from my Desktop and toggled Intercept on button on Burp Suite to intercept the traffic. Then, uploaded the file.
This is the content of the POST request we just made to upload the cat image file. If you look closely, it specifies the name, filename, Content-Type of the uploaded file and also the random texts below are actually what make up the image file.
We get this confirmation message saying that our file is uploaded to the following path avatars/{filename}
After clicking on Back to My Account, we can see that the uploaded cat image is set as our avatar image.
I sent the POST request I made earlier to Repeater and changed the filename to exploit.php and deleted the texts below and replaced them with the php webshell code.
1<?php echo file_get_contents('/etc/passwd'); ?>
This is the GET request to retrieve the previously uploded image file. I replaced the image file name with exploit.php because it’s the name of the webshell file we just replaced the image file with.
If you look on the right side of the screenshot, we successfully retrieved /etc/passwd
Now, all we have to do is replace /etc/passwd with /home/carlos/secret because that’s the path where the answer to the question is located. It’s specified in the question.
The server responded with the secret E7GnNlW2W2SAasyDLDzzHeCsKYNJ8nNk
I submitted the returned string as the answer
