Posts

Self Notes: Web Security Academy File upload vulnerabilities Lab 6

Image
(In the name of Allah, the most gracious, the most merciful)     بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيم This Lab as with the previous labs is quite easy, the difficulty is practitioner-level , so I will make it very brief as most of the concepts are the same. In fact, the only reason I am writing about it is that it has one uncommon feature ( EXIF , at least to most people) otherwise it's pretty straightforward and easy. Task :  This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter From the task statement, we understand that the content of the file is actually checked to ...

Self Notes: Web Security Academy File upload vulnerabilities Lab 5

Image
(In the name of Allah, the most gracious, the most merciful)     بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيم In this post, we continue with exploiting the labs on file upload vulnerabilities from PortSwigger. Lab 5 is also a practitioner-level difficulty. Task :  This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter Just like the previous post , we need to upload a web shell and exfiltrate Carlos' secret, but in this case, we are dealing with a filter bypass. Let's play around with the upload request and find out: Above we upload a normal jpeg and we got the following response: The file was uploade...

Self Notes: Web Security Academy File upload vulnerabilities Lab 3

Image
(In the name of Allah, the most gracious, the most merciful)  بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيم   It's been a while I wrote, mostly due to work  and a little bit of laziness. Anyways I recently came across a lab from PortSwigger web security academy that I spent so much time without solving (I was really disappointed with myself when I figured out the solution), so as usual I am writing about it so I don't forget and so it may serve as a reference in the future. The Lab is under the file upload vulnerabilities section, it is tagged as practitioner level difficulty (hence, my disappointment). Task:  This lab contains a vulnerable image upload function. The server is configured to prevent the execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/Carlos/secret. Submit this secret using the button provided in...

OverTheWire: Bandit Lab

Image
Bismillahirrahmanirrahim (In the name of Allah the most gracious, the most merciful) So recently I and @electro decided to solve wargames and CTFs in the spirit of honing the skills and because we are preparing for something really important (another post for another day). We decided to start with the labs at overthewire  and the first on the list was Bandit Lab. Bandit Lab was a fun experience, mostly easy, except for one or two tricky levels, level 26 and level 33 in particular. This Labs weren't so difficult but required a bit of thinking outside the box, hence why am documenting them. NB : this writeup doesn't include our thought process while solving the levels Level 26 Level Description When we attempt to login to this level using the private key obtained from the previous level we get automatically logged out and since the level goal already informed us that we are dealing with a different shell, we need to figure out what it is and how to break out of it. Above is the ...

SSRF Notes: PortSwigger Labs Continued

Image
  Lab 3: SSRF with blacklist-based input filter Task :  This lab has a stock check feature which fetches data from an internal system.  To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.  The developer has deployed two weak anti-SSRF defenses that you will need to bypass. This Lab is just like the previous ones except that we need to bypass blacklist filters. This is what a normal request to the stock check feature looks like: Passing http://localhost/admin to the stockApi parameter does not work this time. we get this response: That's the filter blocking us. It turned out 127.0.0.1, localhost, admin are all blacklisted so cannot be used. So after trying a couple things the following was able to bypass the filter: We get the following response: So to complete the Lab we just proceed to delete carlos. And that's it Lab solved.