Chain The Bugs to Pwn an Organisation ( LFI + Unrestricted File Upload = Remote Code Execution )

Hi everyone,
After completing my OSCP certification I thought to give a try to bug bounty, as OSCP has sharpened my exploitationSkills.

I will use lol.com to represent an application as can not disclose the website’s name.

While i was enumerating an application i got a domain which was basically an image server and was managing the images which has uploaded by a user, while enumerating more, i got an endpoint which was allowing me to call the server local files such as passwd , cron jobs and current running services on the server.

As it was a image server means the server stores all the images which user uploads form his/her profiles.

I again went back to lol.com and started looking for photo upload functionality that from where i can upload the photo and i got the profile photo option which is allowing me to upload the photos to an application and the photos were storing to the image server.

Now photo upload functionality has ext parameter which is used for file extensions checks but due to improper validations on the parameter, i was able to tamper the values and can upload unrestricted files on the server, i tried to upload php shell but as it was image server so it was not serving the php but by reconig more via lfi i came to know that i can get a shell via perl so i uploaded a perl reverse shell to get a reverse shell on my public IP.

And with the use of LFI I called the file and i got the reverse shell on my public IP.

Thanks for reading, Hope you guys liked it.