Posts

Showing posts from May, 2024

Practitioner Lab 9: Web shell upload via extension blacklist bypass

Image
  This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file  /home/carlos/secret . Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials:  wiener:peter to start this lab I logged in as wiener This lab took me longer than I wanted. I didn’t understand how .htaccess worked very well but After doing some research I learned how it all worked and how it gives configurations for a particular directory. I knew it was an apache server because when I first did the post request it told me it was apache. I went and made an .htaccess file This file basically tells the server that if it sees any .php5 to then run that file as if it was a php file. When I initially uploaded this I

Practitioner Lab 8: Web shell upload via path traversal

Image
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file `/home/carlos/secret`. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: `wiener:peter` I start by going into the website with Burp Suite on. I checked all the requests My first though it to try to upload a file even if it fails because it might give me some source code information as to where I could upload the file. When I did this it only sent me the contents of the file back it didn’t execute the script While looking around I found a comment page where I can upload another image that might not be as secure. This did not work because it was not allowing me to upload. My plan was to upload on my account and th

Practitioner Lab 7: SSRF with filter bypass via open redirection vulnerability

Image
  This lab has a stock check feature which fetches data from an internal system. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first. I went into the page and looked at the check stock which accesses the database Here I took a look at the request to see what was happening and how it was working here I first check how it would react if I just tried to use the Ip directly without using local. I will use their own URL and then &path=http://192.168.0.12:8080/admin to the end of the URL As can be seen the URL doesn’t allow for redirections. I need a URL that needs redirections. This URL allows for redirections I found this after clicking next item. /product/nextProduct?currentProductId=1&path=/product?productId=2 I can use this URL and feed it to the stock checker to then be able to go to the admin page I put the URL that I got before here to then be able to redirect to