TryHackMe! Upload Vulnerabilities - File Upload Vulnerabilities & Exploit - Complete walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another video here on track Hackney we're gonna be the one called upload vulnerabilities now this room uh is here to Showcase different kind of basic file level upload vulnerabilities on websites so the getting started is just basically telling us to copy paste this line here and depending on you are on Mac o x x or you are on we don't need to put that into the host file so you can access different kind of domains uh listed here pay attention to the separated space here per domain name the IP address here is the one that is on the server let's go ahead and access and just exit my middle sploit and say sudo Nano and then ECC hosts the password and then just in the top paste that in make sure it's right there you know you don't need the space to be correct but you know I like to have it that way then you should more or less be able to take this domain here open it says bad gateway for now and I close the room wonderful so we're gonna go ahead and do the very first task and complete that since we did the um put the host uh just talking about if you have a step before you must remove the previous entry yes because uh The Arches is no different and so on and so on but if you read that you're gonna get it pretty fast introduction they talk about that the ability to upload a file to whatsoever is a really nice thing when it comes to functionality but it also opens up for different kind of malicious activities such as uploading a file that can be executed directly in the server the example could be that the server is running as a PHP application then you can basically upload a raw PHP file with code in it and it will be interpreted by the PHP engine if you can get access to it from the web URL typically that is named by developers as uploads of files or other common names like that so really um uploading a file tosoever requires some proper verification and validation of the file also making sure that the file is actually the file it says it is let's complete this here and go to the next task the general methodology here is [Music] um they they tell us that we need to use a tool called go pasta now I have it installed already I'm using Linux Kaylee and I think it was pre-installed else you're just gonna do this here uh sudo app install gobaster we're gonna intercept different kind of requests uh with burp Suite now already opened that here so you're gonna need to install it if you don't have it installed um there's a room here called burp Suite Basics which I kinda suggest you do if you are totally new to birds read um web analyzer is not a tool well I don't have it we could probably install it I don't know if it's needed or not we're using Firefox just edit to the Firefox here let's say allowed attention to run in in a private window yeah yeah we have it right there then we should be able to take the web analyzer on the page the fan we are on click it and say yes okay with that and then you can you know see different kind of things going on you know I never really use this plugin before if they're gonna tell us to use it well then we will of course just use it so let's complete this task here and by the way the tool gobuster is the tool you need to um explore different kind of important folders so whenever you have a particular server on an IP address you know finding that uploads or files whatever it's called it could be a time consuming process so sometimes it's easy just to Brute Force its way I think it's yeah it's a directory brute force uh brute Falls your way and then let's try a different kind of folders and see if it exists or not so the very first one is called or writing existing files now all running existing file oh uh it's all about you know that you can you know take a file name and name it the same as the one that's uploaded then upload it and then you get a new file so in theory that should not be possible whenever you upload a file to a server you should be able to upload the same file as many times as you want if it's within the parameter of allowed files okay but if you can override an existing file already it basically means that you can give the file a specific name and it would be all written by um the file uh already there sorry written by the file that is being uploaded which is kind of bad so um they want us to to say like please note that demo uploads will be used for all demonstration however the size not available and I also need to put no space and what is this Never Gonna keep you up okay so they uh so that's a Rick Roll so it's something you just need to pay attention to sometimes that you can't be reg rolled I was just tired of reading the text but yeah you've been warned I didn't press play so let's go ahead and go to the all right site and I still need to do http just like that press enter and we have the particular website here where you can override stuff we could try something like uploads now and you know files or file or upload you know and sometimes in the task they do actually give us the path it says images in this particular case let's write images and it's forbidden they also said something with spaniel dot jpeg um why why are you doing this to me Google so so basically um I'm not talking specifically managed to all right the original so I guess not really sure what they want us to do in all honesty let's just read the task following me to the web page yes well there was no there is no dark in my let me see did I do something wrong let's just select the file now take any to even have an image that's a problem so let's see can I find an image Brooklyn open upload successfully uploaded let's look at the source now and it does say that the images mountains so in theory we should be able to take a file now if they are placed in images as they probably said so let's go to the command prompt and do CD clear and I did have a JPEG file didn't I yes so let's move gum room JPEG to Mountain Stitch jpeg let's then go back select the file Kelly mountains there we go and I should now or write the file now in theory the mountain here should be replaced but this is a task so they just gave us the flag you know instead and the flag is the proof that we actually succeeded let's put it in and I all wrote mountains jpeg just like that [Music] let's continue to the next part the next part here is about remote code execution which is bad I also you use the one you call Roku exclusion and remote code is Houston is basically a way for you to execute code directly on the back end which is really bad as the example I mentioned in the start they do talk about PHP here uh status the normal language you probably do remote code execution with by uploading a direct PHP file because it is kind of vulnerable to that kind of thing doesn't mean that PHP is bad just means that it require a bit more work on the back end to make sure you don't get that kind of you know traditional exploit floor whatever the golden ability on the back end um but there are two different ways to achieve mode Constitution web server that's by uploading a file like a web shell virtual and realistically a fully feature show is at your goal of an attacker however so maybe the only option available so particular case to talk about let's assume that we found a web page with the upload form like that and then you could go ahead and start a group of scan what they do here is they run go Buster on DF directory Tech U for the website they might upload that drag me and the tech W is the word list you're going to use to try and reinforce different kind of you know path so maybe you're going to get something like this like uploads and assets and then uh it's gonna be under here uh you can see you have those assets and pays it into the status codes 301 should be um I think it's redirected so it's good instead of having you know instead of uploading a JPEG file what you want to do is upload a different kind of file what is kinda you know needy for this to work is to get a direct access to the file you can click so if you can upload a PHP file with code in it that you can execute directly then you need to have direct access to it so you can hit it in some way and open it so if you're gonna go ahead and copy paste this link here just gonna take this here um they one more time on the rig rolls so did they really mean that was that a regular yeah it was so one more time hack me they will Rick Roll us every time so it's not called demo I keep forgetting the one you all we got a visit is oh they have a redirect on the uh the uploaded place so we should be able to navigate to this particular site though no still not I was just interested in doing brick walls sometimes and just solving this task very interesting so they say like navigate to thank you that's already rolling us there's so much ignoring us all the time and I keep falling for it because I am really tired today and so this is the executions this is the webpage where we um can upload a file so they can you file here in this particular case and I think we can go to whatever you know we would like to upload could be like this PSP file you can upload it and maybe you can access you know we can always just try different kind I know path uploads files whatever it is maybe you will not find it sometimes if you're lucky you can find it by looking at the source code directly it could be assets um I don't really know so instead of pending a vast amount of time looking you know just try assets for this particular case and see the images and well you do see some images but you don't see the one we just uploaded so there might be some different name for us to to try and guess approvals so first of all let's see today tell us where it was no so run Google scans let's go ahead and do that so let's take the URL go to command prompt gobuster directory for the rich scans put in the sometimes you know copy pasting is a thing that just doesn't strike as easy always we're gonna do a dash W the user share word list I want to say that depending on where you put your um directory list it can be in different places so you need to pay attention to this now I use news Katie so in this particular case uh it's it's located and uses here word list but you can also download something called seclist go ahead and check my video on YouTube search for security mind and checklist so it's resources we know it already so let's just go ahead and copy paste it I'm guessing this kind of things can take a lot of time let's put it in now let's go ahead and add that and see the resources yes one slash not two and we see the image now called broken so what we can do now is just upload this page one more time and they want us to [Music] get a web shell or virtual machine now in this particular case what we need to do is to go ahead let's visit a web page called Pinterest monkey princess monkey and the rise PHP reverse shell and you're gonna get the very first hit here and what yeah you don't need the you need to don't need to take the the tar file you can go ahead and take the one uh I think yes that's not the one we need the one on I think this is okay that is not the one we want so I kind of hope to I'm just clicking hello find the GitHub repository for yeah this show would work so we could take this particularly here I access the one on G4 pen test go ahead and say roll copy paste the UL this green dot you get downloaded and now they have it you need to edit them a little bit so Nano our shell scroll down a bit and it tells us to change the IP address and the port so let's change the port for 444 which is the port the script will try and connect back to on our machine we're going to create a list in just a second and the IP address of my machine is something that I don't remember at all so let's go ahead and to a pseudo ifconfig depending on the version of your operating system we can use it can be different it could be IP so I took the IP address and just paste it in save the script and that that really is so now I'm gonna go ahead and run a netcat listener on Port 444 and basically that's gonna listen for the incoming connection that you know we're gonna get by uploading this particular script so let's go ahead and select the file it's called Marshall there we go uploaded go back update you can see it now this is needed now we're going to click this here you should be seeing this ding dong ding going back and forth like that which basically means that the tab itself has connected to something and it's kind of hanging as you can see here we got a rear shell back I can go ahead and write LS not really sure why they want us to get the flag so I'm going to write CD so we're going to user I'm gonna go into I don't know games no uh so let's go into advanced it I cannot type VA and top and then the flag is there now of course you will need to know where to look in order to to find the flag particular case which is why I also just you know create two guys small Peak now that we achieved shell now we don't need to keep it so we can just you know shut it down and you know go back here and shut down close screen that is the very first one so getting a um reversal and you probably think like what is it versatile noise kind of things so that is a good question and the problem is that if I should explain that too in this particular room it should take a lot longer but you know very quick explanation of Rochelle is that you make the machine that you attack connect direct to you which explains the word reverse the shell itself is the actual command prompt you get you can type commands on your machines that will be executed on the target machine so basically that is the way um the virtual is next one is filtering so far up to now we have been seen have seen no condom measures so I'm gonna see something um we're going to see stuff like extension validation or falter validation different kind of ways you know we have to go and do that it could be done by looking at the magic bytes or the magic number which is the one that is the very first represented represented in the in the file so different kind of ways to to to look at it and those magic numbers by the way are the more advanced you know starts to talk about I guess in this particular tutorial it it describes what file it is particularly in this particular case 89 54 e47 OBD 08 180 way zero not o but that is the PNG as you can see which tells the the machine trying to read the the the file this is a PNP file so foreign they want us to what is traditional predominant so that is PHP I assume yes and valuing file extension what should you call a list except the exchange rate what is when validate when validating by file extension what would you call a list of accepted extensions I would call it whitelist I don't know if that is the what they want okay what mind type would you expect in a CSV file I'm gonna research this so let's go ahead and take mime type and Google and right yes we the map type for CSV file would then be something like text.csv it would seem let's put it in and that is the mine type it will be for that particular one the next task we're going to do is the one called bypassing client-side filtering and by doing that we could go ahead and send a file directly user is going to call curl I'm really the biggest fan of curl but is a text um command text edit uh it's it's it's a binary file you can execute different kind of ACP quests up against you know a Target and then you get text back it's not a a tool or a GUI or something that's one more time assume there'll be fun upload page on this particular page I'm not going to visit demo one now and you see something like that now this is the client-side thing you know and it does say closer doesn't it yeah so the client-side thing here is all about you have this JavaScript here and it basically says so you're trying to upload a file and if the file type is image to jpeg then you can well out of the so let's go ahead and see you can misuse that in particular way we're going to use proxy in this particular case now if we go ahead and and check out the text you will see what's up and not so really what I'm gonna do is just scroll down a bit here and also they give us the correct URL to miss it let's go ahead and visit this um ACP put it in and go right back so as we see now we can select the file and if we do uh Shield one more time it's not there it's in okay then we cannot upload it embedded file type so we're going to do now is I have a plugin here called foxy proxy I can turn on perv and basically what it does is we have a perp setup as an option for the following IP address which is me so basically just gonna swap it through that it says green burp and let's go to web Suite make sure that the proxy fan is on this is like the five elements high and now we have this embedded file type let's press upload and it seems like that I have a problem uh zooming in um on this text here but we can see that it's trying to do an upload let's just click next and next one more time so the problem is that here we have a direct JavaScript here in assets I think this is the one that's gonna whenever we I'm going to read JavaScript now this is bad change something it will look for if this is the particular whatever it is you know JPEG file we will use the formula it's going to maybe a post and click the button what we could do is we could in theory this able JavaScript we could probably do that let's just see one more time with developer tools nope the one ah I don't have a way to disabled gearless scripts more tools um let's just see what they want us to do so we follow the task here that we um the constant type is the one that's going to contain the Mind type so what we could do is um well it seems that we could pick any let's go ahead and just do what they wanted to do let's take the r shell here and move it to our shell dot jpeg now that doesn't mean it's a JPEG file it's shelter JP now but it's probably not gonna be you know directly rejected by this mechanism here inverted file type y it's a shell jpeg why is that invalid uh no file selected are they um so I want to do it exactly the way they once because what I would really just do is disable JavaScript it would be far the easiest way to do it well we could try something else I'm just going to try something interesting now let's go ahead and do on upload say yes that's okay can we no we cannot so let's go ahead and just do does this file go through inverted file type what exactly what is was it that I needed it to be let's check it out one more time oh PNG I I thought it was jpeg I'm really tired I'm sorry for that guys so let's just do the shield PhD so shell PNG there we go I'm Gonna Take It yeah and it's oh why foreign what's up PNG not PHP sorry so we chose it now I'm gonna go ahead and make sure intercept is on press upload now what we see here is that all the text inside the file is reversial but it's called PNG let's rename it to PHP let's just try and upload this to recognize it forward it's a success for one more time and that's it really so now that it's uploaded successfully let's go ahead and go back ah what is the flag in the so now we need to find the [Music] um uploads is it is it so what is it called is it is it resources one more time this is called uploads now we don't really know so let's just hope that was let's go ahead and start the version one more time so commercial listening click it's hanging go back when Dot and Cat flat dog text now we have that we have full access and a proof concept to try hack me that we got the flag put it in now I just totally thought it was P jpeg you know I didn't at all think about it was just oh it's just it's just epic so it kind of you know anyways we're done we did it let's go ahead and turn off burp Street now go back take the next task it's called bypassing the server validation now in this particular case they're probably gonna make us rename the file so what you're gonna have here is dot jpeg.php so the server has some sort of code saying that oh if there is a JPEG extension in the file it must be a JPEG but doesn't ask of the path you know sorry the um if it's the last the first one mentioned so we should basically go here to Annex http like that and I'll really good now what is this this is a command prompt interesting upload you must be chosen before uploaded what oh select so we can go ahead now and take this move shell dot PNG to well whatever shielded PNG but PHP I don't know if it's a PNG at jpeg again I don't really care and I'm just gonna try and I always love that so please don't show take this file here upload oh um what's it day pick whatever this time it seems like it is so now I'm right now I'm right so show [Music] PNG the PHP to shell.jpec.php now that should in theory work so it kind of verifies that there is a jpeg extension the file name which is a very stupid way of coding applications but you know not every programmer knows these kind of things which is why I am trying to create it for you so let's select the cut and just upload nope uh what is it again select the file I'll put the name chosen selects gel and then shell jpeg if it's the right and show some shell jpeg PhD didn't want us to do it that way all right then so that should be throughout this time increment right about the naming scheme for the first time for now I shouldn't have any trouble finding your Shield but be aware directories will always be indexable the hint of this particular case is to commands to not start with their Dash the word itself what can upload now file type is invalid very interesting now we already know where this is saved we can just try different kind of names you know it doesn't really give us anything it doesn't really give us anything just copy the name do a go Buster scan now that we have it all you can just go ahead and replace the one here and then just run the script now I just have a folder called privacy very interesting so let's go ahead and copy paste it and just see what's going on in privacy and this is probably where we should find the the images so let's see can we do a Mountain upload now is it possible yeah and we see it right here now there is some sort of you know going on here so you cannot overwrite the file it would seem which is I guess kind of good in a way so that's one more time do a select and do a shelf um I guess this would be okay but last time we tried it didn't succeed nope so we could do is let's just stop this now take this shell jpeg PHP key whatever and try to do well what we could do in theory just go ahead and try a bit one more time because we don't really know what's going on so let's do select [Music] shell it's some JavaScript this is so it's probably pretty stupid let's see jpeg there and do upload and we gotta fired up here it does say in as an application so let's try and change the content type now and just do mine type jpeg oh let me just do it on another browser here my entire jpeg close this window and it's called let's just do image yeah image slash jpeg let's do a forward now um it says invalid one more time let's see if it's still invalid it is so let's do a select and do a one more time and then upload and no it doesn't eat it that way so in this particular case we need to look at the actual pH sorry the JavaScript code let's go ahead and check out what's going on so it's probably this file here I guess [Music] um yes it's very interesting piece of code here let's just file upload it successfully file X Type in valid select failure pop git so what I'm going to try now is go ahead and search for the PHP and it doesn't pop up in any way so maybe maybe this is not the right script let's just check on what time what we have uh should be the script it should be but um in since we cannot see the script and now we're going to think about what task we add it's called it's called um oh my it's called suicide so if this is the code and server side I would try different kind of things so we're going to try and extend our knowledge and say we're trying to we're traveling new so far we're never going to try something new so they don't accept these extensions in any way now the different ways to put extension of the PHP could be php5 for example so that's probably the way we're going to do it so jpeg php5 I'm going to take it [Music] and go ahead into the upload page and say select show hmm make the file upload and now we did it should be right here now so when we click it we can connect back to the same shell they can listen as before and as we see it worked so Siri [Music] and probably cat flag it was the location one time so depending on the difficulty of the task we have different kind of ways to evade the filter I kind of hope that you you understood that I did different kind of things here and tried out everything we knew so far in a certain way so let's go ahead and take the next one this is called the magic numbers in this particular case we're going to go ahead and Fiddle with the numbers in some sort of hex editor the one they will need us to use is hex editor which is default on Kelly so hex edit should be here and it is there so let's go and exit it so we're going to do now is open the the hex editor file and probably in some way till that this file is a JPEG file because the code and the Bag End is going to read the file so if you go to the command prompt here and we have let's take this file called shell but jpeg.php5 and just call it shell.php for now and do a file the PHP on it we will see that this is a script kind of file a PHP script so um in this particular particular case it could be um Well we'd also have something called mountains and this is going to be identifying as a jpeg the way this program called file identifies the type of the file it's not by looking at the extension but the file itself we can go ahead and just do a copy of mountains and call it Mount and then do a file on Mount and we're going to see the exact same information again pay attention to this time I did don't put the dot text or sorry it's not taping in the end because it's really you know just a magic byte file reader so this task we will change the very first you know two bytes to the fft8 ffdb to tell that this is a um JPEG file so um remember that the text file uh here Nano shell.php is a text file so you can put four ways here we're going to do that with capital A's in the front then that's going to be the first two bytes that's going to be represented so in text editor Shield PHP and you can see that the fur I know this is difficult to read let me just try and Mark it a bit I hope this works better you can see that the the first force is and now we can just put in the the magic bites and stats so that would be going back here that would be let's just say FF and d8 and then ffdb I'm Gonna Save it and say Google see yes and if I do a file on this now it should say that it's asking the text um and now it's kind of changing the way I don't know if this was enough let's go ahead and just open more time and see that it didn't save it wonderful let's do one more time so can I just copy paste this to be honest um no I cannot so if if whoops d8 oh okay so if FFF d8 FFF DP I think it was so let's close it now I do a file on this one here it just says jpeg image data and now we have it now only because we put in the very first so if we were Nano wanted now and you can see that it's you know simple jumbo it doesn't really interpret it and this is probably also another way of me telling you that there's nothing a secret about the bars bites in the fire you can always just put it in so let's go ahead and go down and access to this particular magic where page there we go go there what is this shell [Music] nope shielded PHP one upload gifts only please oh all right so they want us to change this for GIF files so we need to change to a gif now so let's go ahead to Google and do mind type GIF to the research [Music] sorry magic byte gif and take the very first link I guess it is uh and say GIF format there we have it so let's go ahead and just open again one time in HEX editor and it's then 47 49 46 49 46 and then do 38. and save the file and that should in theory say it's a gif file now as you can see let's go back and one more time upload it and we got it uploaded now I know where it is but let's just try uploads uh remove Pub um oh so let's go ahead and just take the oil clear screen go ahead and run go booster and normal time use exact same command and remove these Reddit and it says Graphics this time guessing these kind of URLs would be a kind of waste of time so let's just put it in graphics and this is shell PHP I'm gonna write that instead then let's go ahead and start netcat listener 444 right it's hanging no it's not hanging nope ah any things that we missed pretending the date and time upload a file this task will not do so so keep it relatively easy okay let's just see did we also find another one I think we also found the one called assets let's just try that um well I just keep doing that to me [Music] and share that PHP there no very very weird so what do they want us to do hmm I think this is the way you should do it um let me just one more time go back select the file what was it again was this shielded PHP it was and I can upload the file yes and then I can go here and say graphics shell.php oh I don't know why I didn't work before X yeah sometimes you just need to do it one more time you know and then that's really you know I'm gonna take the flag copy paste it put it in and that's it shut it down okay screen go back to the tasket head and say example methodology now they do talk about different kind of things here like we went through different kind of filters client-side server side or build stuff you know filters in the way [Music] um yeah so read the task now there's a challenge the challenge is the one called dual to upload vol.tmh now go ahead and download the task file here it's word list I'm gonna use it now I recorded this video very late night yesterday and I had to cut off a bit of it so and and do this again but basically we have a website here called Dural and we need to upload something so I can just try to upload the very last shelled day pick I had and this is the some actual code inside of it and it doesn't really work so I guess I can upload you know any particular file that I I fancy to upload but what I really want to upload is this particular shell here but I need to figure out is this also a PHP server or what is it so what I'm gonna do is to intercept it with burp and sit on and press Ctrl F5 to get every single thing there is here that I can read now if you cannot intercept the javascripts that I'm also getting here it is because that under options you need to take the first line here onto intercept client request and edit and then remove the jpeg part here down below as match conditions because it is does not match on relationship that is the reason um so let's uh another JavaScript we're just gonna casually upload.js that's interesting we will look at that at some point uh so we have client side validation we have some things hack tricks not for me uh web sockets yes nothing to give uh I suspect this is probably not you know PHP let me just press F5 Ghost Network update it and take the very first one and it says X powered by Express so this is node.js this is also something you need to well know so if you go and search this you know you probably get no jazz special also means that we need to find a node.js reverse shell as I also told you I was here yesterday but I was just so tired to stop the video and I figured I'm gonna do the fresh one again but this is a node.js reversial you just basically take it and you go to terminal and you go into the Nano shielded JPEG that I have and I actually also put it in there got that far put in the IP address of the machine you have on your localhost and the port is going to connect back to you can pick any port doesn't really need to be that you know I'm I'm gonna pick another one here just four four and save it and go out and then I'm gonna do a knit CAD on 444 and wait for the incoming connection however I need to upload it still so I need to render those you know upload vulnerabilities I still do not know where this will be upload to so I also need to run a go bar so let's go ahead and just take this here and take a new tab which is this one directory and it's gonna be this side here now before we do that we also need to run let me just explain what's going on here I also need to run a gobuster scan using the upload volunt list I know they gave us that so the reason for that is they want us to use that as a word list up against the content folder which is something we just found here we also have a folder called admin the content folder will contain the files we upload you will verify that in a moment and the admin side is a specific side of me to visit in a few moments in order to execute our reverse show so now they found these kind of things this way we go ahead and run this and this is something we need to run every time because we need to verify which kind of files is there so the files uploaded will be named weirdly after this upload word list which is something we need if we didn't have that we would basically need to guess and might find out at some point and then we just create our own word list and then eventually you know we would have you know the different files um in the names so when we when we leave this running we'll get a complete list of the files we have when the files are collected we can upload the file do one more scan and they will know the file that is new and that is the one we need to call meanwhile we can go ahead and render some of the client-side controls here on the website to inoperable so go through burp and to set on control F5 to reload everything forward until you see that upload.js file which is interesting when you see that you do error right click and do intercept request on this and then you just forward one more time and sometimes it's a next forward other times you need to go forward a few times then you see the code inside of that no JS file as you can see this is the upload.js you scroll down a bit you'll see three different client-side filters one for file size one for magic number one for file extension we don't want any of that because it's a waste of our time so we just remove it and then you just forward the rest and intercept of now this part is ready to upload our reverse shell while waiting for that let's go ahead and just take you know ourselves to admin and this is the admin page now it does say that this can activate modules from this Latin module directory so inside the root directory of the web page it got different kind of folders like modules and content so we should be able to like dot dot slash content like that go one pack and execute whatever file we find we cannot do that before this scan is done and then we can upload our file and find whatever file we need to execute directly and that should give us a ping back to our reversal sorry I don't look at listener and I really that's it so this is just the scan we already did with the kind of you know photos and almost ready to be called and let's just wait it out and let me just talk a bit more it is kind of important that you verify which kind of content server it is this is a node.js server different ways to verify as we already you know talked about the X powered by Express and the express is a framework that you also see that it kind of talks about it here how to remove X Powers because it is kind of a way to you know tell what kind of back end it is but Express GIS is a part of node and if you continue to read about it you will pretty fast you can probably just take the very first part here and stack overflow and do they mention node at some point yeah they do know it right there so basically you know how to go ahead and find your node.js reverse shell now the scan is done we can go ahead and go back to the the page here and select our shell the tape and upload that we should see this is uploaded now which is true so now we need to find out what the name of it is and that's the way we just kind of redo the same scan with the same word list and just say which kind of file is here if the scan identifies the file before it's done we can just stop the scan there's a slight chance it's going to be one of the last names so if that is the case we have to wait it out until it's 100 done so basically it's uh this is the one two three four what is it like 10 files I have DTE it's there and you can just e k n it's also there an i x u should be the next one and you can sign kind of see that it follows the alphabet in a way so that is the way the word is built so depending on the name of the file it's been chosen for the file uploaded Go Buster will reveal it in the speed of the word list so we just wait a bit now with that is done you see ixu so it's not that Nick one is so what should be done now is you go ahead and start your own netcat listener now I put in the port of 444 in the reversial and that should be able to be called directly from the web page here as you can see the admin page you can activate modules so you've paid to write the jpeg file now remember that doesn't really matter if it's a jpeg or JS in this particular case because you're just going to execute the code directly inside the file so that's the vulnerability and LKQ LKQ select one called S80 for set and then SXL and so on so just gonna wait a bit more for that [Music] hopefully we're gonna get a ping back the task then will be finished by giving us the flag and I don't what is this what is this oh yeah yeah that's fine so once it's done we will finish the flag find it and oxl now we didn't have that as last time so we can say that that oxl just jpeg is the file we need because it's not in the list from before so that is the name let's go to The netcat Listener go to the web page the admin page put it in Click ok go back and you have a ping back from the server your virtual ID your root so let's go into CD bye see device uh where are we [Music] cat flag and there we have it it does remind me of a darker container because I would like to say that I am creating my own capture the flag at the moment and and this reminds me of a darker container way because we have nothing yeah no suit either that's very normal we have an income if config host name yeah what is it like hostname Tech hey what is a toast name Tech eye yeah it's Tech I for the IP address yes this is probably a darker container anyways we're done we have root no reason to have this running anymore you know I think in this particular case of upload vulnerabilities let me just finish it all now I like this room for telling us different kind of ways the upload vulnerabilities are kind of interesting because there are many different kinds of them and this room kind of shows the most vital ones I would like to say so I really hope you learned something for the video it's quite long and I really hope that I explained enough for you to get it all in so I want to say please consider you know uh liking and commenting and subscribing the video also if you wish to support me even more I did create a patreon who's going to be found in the description below and I also have different other ways that you can help and support me so I can buy some materials and stuff for this channel to make it even better so that is what I want to do remember that I'm gonna try and get the hack 5 Wi-Fi pineapple so I can do more Wi-Fi pin testing for you guys so yeah until next time you're gonna see see you again have a really nice day [Music]

Info

Channel: Security in mind

Views: 10,814

Rating: undefined out of 5

Keywords: tryhackme, file upload vulnerability, hacking, tryhackme walkthrough, tryhackme review, tryhackme tutorial, linkedin e learning, udemy wordpress, codecademy, udacity, sans institute, linkedin learning

Id: vwnt1AcExiI

Channel Id: undefined

Length: 66min 14sec (3974 seconds)

Published: Wed Nov 09 2022