Questions

Try to upload a PHP script that executes the (hostname) command on the back-end server, and submit the first word of it as the answer.

Upload a shell.php from PayLoadofAllThings.

Try to exploit the upload feature to upload a web shell and get the content of /flag.txt

Same steps as 1st question and read /flag.txt using cat

Try to bypass the client-side file type validations in the above exercise, then upload a web shell to read /flag.txt (try both bypass methods for better practice)

Uploading a normal JPG works.

Try uploading JPG with only php code and .php extension.

Read source code for uploads directory.

Try to find an extension that is not blacklisted and can execute PHP code on the web server, and use it to read "/flag.txt"

.php extension not allowed

Send the request to intruder and using the php extensions list, fuzz for all PHP extensions.

.phar extension works.

The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read "/flag.txt"

.phar extension is allowed but because there is only php code in the body, the error says only images are allowed. In this case we may have to use exiftool to add php code to the metadata of images and change it to a .php file, or we can try to switch positions of extensions.

if we swap positions .jpg and .phar extensions, the file is uploaded successfully.

The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt"

The image cannot be displayed because it contains errors

From PayLoadOfAllThings, upload PHP_exif_system.jpg and intercept with burpsuite.

Add a whitelisted php extension, .phar to execute the php code in the metadata.

The above exercise contains an upload functionality that should be secure against arbitrary file uploads. Try to exploit it using one of the attacks shown in this section to read "/flag.txt"

Upload HTB.svg to read files. Read uploads.php

Once HTB.svg is uploaded successfully, read source code.

After decoding,

uploads directory; $target_dir = "./images/";

Now lets read /flag.txt

HTB{my_1m4635_4r3_l37h4l}

Try to read the source code of 'upload.php' to identify the uploads directory, and use its name as the answer. (write it exactly as found in the source, without quotes)

uploads directory; $target_dir = "./images/";