Self Notes: Web Security Academy File upload vulnerabilities Lab 3

-

(In the name of Allah, the most gracious, the most merciful) بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيم 

It's been a while I wrote, mostly due to work and a little bit of laziness. Anyways I recently came across a lab from PortSwigger web security academy that I spent so much time without solving (I was really disappointed with myself when I figured out the solution), so as usual I am writing about it so I don't forget and so it may serve as a reference in the future.

The Lab is under the file upload vulnerabilities section, it is tagged as practitioner level difficulty (hence, my disappointment).

Task: This lab contains a vulnerable image upload function. The server is configured to prevent the execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/Carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

So the task is to exploit a vulnerable PHP upload functionality and upload a web shell, also it's stated that the server is configured not to execute the user-supplied files. Let's investigate if that's true. We are provided the following file upload form:


 But of course, what really matters is the request and response we get from the server, so we upload the following shell:


the request:


We got the following response:


And when we visit shell.php we see this:


Our script is not executed but rendered as plain text so we can confirm that scripts files in this directory are not executable, we will need to find a bypass. But from the task, we've already been given a tip that we will need to exploit a secondary vulnerability; path traversal 😃 (something we've dealt with previously), so I begin to search for any exploitable path traversal vulnerability but to no avail, I even when on to use Burp Intruder payload for path traversal fuzzing, but that also yielded nothing. It turned out the problem was from me, I have already made an assumption about the vulnerability, that it would be in another functionality as it's typical of PortSwigger labs, but unfortunately, I was wrong. Of course, I only figured that out after wasting so much time. My first breakthrough came from this observation:


Whenever I added a path traversal sequence to any resource endpoint as above we get a 404 response, this behavior was consistent for all endpoints except (you guessed it 😃):



We don't get a 404 when we send this specific request, now the reason I wasted so much time to find this was that normally when attempting to find path traversal vulnerabilities we pass several path traversal sequences e.g "../../../../../../../../../../etc/passwd" to reach the root of the file system, but in this specific case it backfired because we had a limited path traversal vulnerability, which only works one directory above our current upload directory, it's for the same reason we didn't discover it with Burp Intruder. So now a limited path traversal what next? if we could find a way to upload our PHP script to that directory perhaps it will be executed. So we try to upload to that directory using the path traversal sequence in the file name parameter:


And we get a response that the file was uploaded successfully to our specified directory, notice also that the filename is completely URL-encoded, this is because it won't work when you pass it as plaintext, probably because there is a reverse proxy normalizing the path or something else, not sure, but whenever in doubt URL-encode the input. Let's try executing our PHP shell now.


Lo and behold, our script gets executed and we have a shell. All that is left is to retrieve Carlos' secret file. Note that our shell takes in a base64 encoded input and decodes it before executing it as a system command.





And we've solved this lab.



So the most important takeaway for me from this lab is to question your assumptions consistently, more so it's better to start simple and scale up instead of assuming some complexity only to find out you were wrong after wasting time. That will be all for this post see you in the next one.



Comments

Post a Comment

Popular posts from this blog

Before You Dive In...

-
I have always wanted to write, partly to improve my writing skills but also to document my research in reverse code engineering, software exploitation and computer programming in general, my current goal is to have at least a post a week, but since am just starting out I do not know how feasible that will be considering school and my need for quality over quantity. In the coming weeks, I will post on varying topics from software reverse engineering to exploitation and basically anything that interest me. My primary aim is just to cement my knowledge in my fields of interest by giving back to the community as I learn and hopefully along the way help someone trying to learn. A quick disclaimer though is that I am no professional at either writing or the subject on which I will be writing (at least for now),  am just trying to navigate through the vast ocean of knowledge hoping to pick one or two things along the way, so corrections, constructive criticism, and even unconstructive ones
Read more

OverTheWire: Bandit Lab

-
Image
Bismillahirrahmanirrahim (In the name of Allah the most gracious, the most merciful) So recently I and @electro decided to solve wargames and CTFs in the spirit of honing the skills and because we are preparing for something really important (another post for another day). We decided to start with the labs at overthewire  and the first on the list was Bandit Lab. Bandit Lab was a fun experience, mostly easy, except for one or two tricky levels, level 26 and level 33 in particular. This Labs weren't so difficult but required a bit of thinking outside the box, hence why am documenting them. NB : this writeup doesn't include our thought process while solving the levels Level 26 Level Description When we attempt to login to this level using the private key obtained from the previous level we get automatically logged out and since the level goal already informed us that we are dealing with a different shell, we need to figure out what it is and how to break out of it. Above is the
Read more

SSRF Notes: PortSwigger Labs Continued

-
Image
  Lab 3: SSRF with blacklist-based input filter Task :  This lab has a stock check feature which fetches data from an internal system.  To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.  The developer has deployed two weak anti-SSRF defenses that you will need to bypass. This Lab is just like the previous ones except that we need to bypass blacklist filters. This is what a normal request to the stock check feature looks like: Passing http://localhost/admin to the stockApi parameter does not work this time. we get this response: That's the filter blocking us. It turned out 127.0.0.1, localhost, admin are all blacklisted so cannot be used. So after trying a couple things the following was able to bypass the filter: We get the following response: So to complete the Lab we just proceed to delete carlos. And that's it Lab solved.
Read more