8.3 Lab: Web shell upload via path traversal | 2024

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability | Karthikeyan Nagaraj

Description

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Solution

1. Create a file called shell.php which contains the following code <?php echo file_get_contents(‘/home/carlos/secret’); ?>
2. Log in to your Account with wiener:peter
3. Upload shell.php , capture the Request, and change the value of the filename from shell.php to %2e%2e%2f/shell.php and send the request.
4. Now, go to My-Account, right-click on the avatar, click Open in a new tab, change the location to /files/avatars/../shell.php, and send the request.
5. If it is not working, then send it to Burpsuite, and you’ll see the secret code.
6. Copy the code and paste it in the solution to solve the Lab.

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Cyberw1ng

Telegram Channel for Free Ethical Hacking Dumps

Ethical Hacking Dumps — CEH, OSCP, Comptia

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng