TryHackMe | Upload Vulnerabilities | Part 3 Walkthough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right guys let's try this again welcome to my YouTube channel we're going to do part three of upload vulnerabilities the last one task 11 challenge let's see if I can get this correct it's been lagging lately so first you load the web page this is jeel and then it's the same slash trying to find SLV how to get to it and uh it says you need help there's a series of hints here and there also a video and the hint says yes successfully upload shell but cannot get to it um hint this not a usual way of executing trying not Med to bypass the number filter what the that's not good all right hope this works all right hit number one Emirate imate Emirate have you tried go busting the site use a standard script worthless and then it says while that run look at the source code the homepage see you can't find any static files included okay so let's uh stop here let's go Buster this website so we're trying to find the directories well that's going says look at a source code so right click we page source and you can see there's these scripts that's nothing that's nothing so as you can upload. JS says check file extension so it's a JP file so it's going to be important later on and then it says hit three you will notice that the file upload only JP files and that the background images are stored in content try uploading a legitimate jpic file bear in mind this uh size fter then use the custom word list in the room to find your image so when you click upload see there's Al s jpeg so and this file successfully uploaded now next it says uh use the custom word list in the room to find your image so it's it's right here download task file and open it up so upload vulnerability worthless let's edit select all right click copy uh closes out clipboard paste and we're going to open a new tab on there and then we're going to Nano upload one workless txt I hope I got that right yeah upload one this and then right click paste there you go let see all right exit save so we got the reverse shell that was from the previous task and upload one very workless okay so hint number four use Ghostbuster X switch and then we're looking for a jpic file so hit number five we're going to use another goldbuster so we're going to copy this there you go read through driver script client side filters what they are looking for use the techniques T Test 7 to bypass these filters do not try to Magic number bypass directly if you receive hb30 Response Code when attempting JavaScript research what this particular means to how to prevent it from occurring okay um let's [Music] go so it says content that's where it goes right check it right here so the contents page. file it's uh there atmin right atmin okay nothing is going on there let's try again nope what I say as reminder use this form to activate MOS from the SL modal directory so nope okay all right let's uh stop this we're going to use the new Guster script all right clear this out now we're going to use as list but remember to slash content cuz that's where the file is being uploaded we're trying to [Music] see what JPEG files in that the directory that's why the the cont SL content directory is important so as you can see it's coming all right Nexus JavaScript client side as you may filter and paste try use techniques from task 10 so first it says use techniques taught in task s so what is Task s co sign c ah yes so we're trying to see we can delete this but all right so settings request interception rule edit and I am going to delete the JS okay this should work all right intercepts on Firefox turn burp [Music] on all right so right click do intercept response okay uh access orange Express so let's see if I can for it nope for do intercept this response let's see okay hold on let's try this again see server s using m m type contract see let me guess you uploaded a shell look for contents but it's still showing KN activating so the server is running on no s take a look and then the hint 10 is tell you execute modules directory but your file so using all right so the walk through is so I did go Buster use that then go Buster list this a page admin directory yeah file you upload will end up in content with a random threel phone number okay so got one right here go to the home page use bir Suite to remove client side filter as demonstrated in test 7 okay let's see let's try again for all right let's see intercept this that they work okay let's try again all right I'm going to clear this out control F5 intercept let's see okay I hope this works nope okay so I think it's this one yeah F check check file size check magic number and file extension we going delete that all right fort fort all right I think that's done so delete that so it's the server is using no s by X power header will show you download the no SJ River show here oops so right click so we're only so it says download reverse show here and fill your own IP and chosen port and call it shell file.jpg okay so go right here so Nano shell jbg so this is the not script all right so all these ores you don't really need it okay so client side I'm put 1 2 3 4 and then the IP address is the attack IP is mine 10.10 110 64 it's right here that's my attack box SI p and then exit save let's so have my shell jpg all right the next use goldbuster word list and fure upload already did that notice the ex switching adding JP file extension to each request have a look at each of those files and web browser one of them will be your shell remember the name of this file start Nick castner of your chosen port number okay so all right it's almost done guys [Music] so you can actually check this out so content let's say abh wait hold let's see abh JP there you go what [Music] the a BH do jpg why is it not working onk Q okay oh I see why got it then slash so you can't see it you have to use dot dot got it so my dot dot content so a BH jpg interesting this not exist okay so there's five of these so now I'm going to do is all right I'm going to go back upload the shell JP right here file successfully uploaded so currently there's one two 3 four five right so if you go bu again should be the same so abh you can net net CAT scan so what we can do is NC LV NP 1 2 3 4 says right here have a look at each files your web browser one of them will be your shell remember the name of this file and start netcat listing on your own machine using chosen port number then go admin page and type in content name the file so example might be content ABC you should receive a reverse shell okay so how that net can is scanning again check out check this out guys so my previous scan has five jpex there's abh abh and look at this fch so that will be that should be the shell but you cannot go directly what's it FC H so you cannot display right so you have to go to atmin do do content how type this right do SL content slash FJ h.jpg fch okay this should be correct top [Applause] secret wait it's off okay there we go listening I think it work guys but I'm not sure let's try again see see should work guys but I'm not sure this should be CET wait CD bar oh my God I did connect sorry guys that's it that was duh that's it guys so so last recap you can do this this walk through is uh first you go Buster the Dual website then you see the content and admin then you upload a JPEG uh then you download the task file and then go Buster with the wordless uh use burp Suite to stop the client sign delete uh what they call it delete the filters and after that you upload the the note. JS reverse show as file JPEG and you go Buster again you find the different file F from the five jpeg then you go to admin and use this one do do/ content and use the nitat you should get the answer so I already did have it all right that's it guys I hope you like this video give a thumbs up hit the Subscribe button it took me a while to uh do this and a couple times to upload this video and then uh task 12 conclusion just follow the steps um real basic and we'll complete it and that's it guys if you you can share on Twitter Facebook LinkedIn and you go to the learn learning paths you should complete what fundamentals so so far I did all the videos introduction cyber security pre security web fundamental we're going to start at comti pentest plus so another easy Modo thanks for watching guys uh till next time
Info
Channel: PLei
Views: 266
Rating: undefined out of 5
Keywords: TryHackMe, Vulnerabilities
Id: qFdAyVu2KIs
Channel Id: undefined
Length: 25min 40sec (1540 seconds)
Published: Wed Oct 25 2023
Related Videos
OpenAI SHOCKED Everyone! Voice, Vision, & Free?!
Theoretically Media
35K
ChatGPT’s Amazing New Model Feels Human (and it's Free)
Matt Wolfe
125K
TryHackMe | Upload Vulnerabilities | Part 1 Walkthrough
PLei
645
GPT-4o: What They Didn't Say!
Sam Witteveen
13K
TryHackMe | Python For Pentesters | Part 2 Walkthrough
PLei
375
Blackfield - Hackthebox (OSCP Prep) TJ Nullls
NoxLumens
1.7K
GPT-4o - Full Breakdown + Bonus Details
AI Explained
233K
INSANE OpenAI News: GPT-4o and your own AI partner
AI Search
135K
OpenAI’s GPT-4o: The Best AI Is Now Free!
Two Minute Papers
143K
TryHackMe | Wireshark: The Basics | Walkthrough
PLei
181
TryHackMe | Upload Vulnerabilities | Part 2 Walkthrough
PLei
467
NEW GPT-4o: My Mind is Blown.
Joshua Chang
177K
TryHackMe | Active Reconnaissance | Walkthrough
PLei
125
TryHackMe | Python For Pentesters | Part 1 Walkthrough
PLei
758
New ChatGPT Model Beats all other AI models - GPT-4o and Real-Time Chat
Skill Leap AI
46K
OpenAI's STUNS with "OMNI" Launch - FULL Breakdown
Matthew Berman
67K
New GPT-4o VS GPT-4 - Ultimate Test (Prompts Included)
Skill Leap AI
45K
TryHackMe | Nmap Basic Port Scans | Walkthrough
PLei
126
Bug Bounty Hunters are WRONG about this‘ OR 1=1
Bug Hunter Labs
3.7K
TryHackMe | Active Directory Basics | Walkthrough
PLei
338
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.