As mentioned in a previous Dark Side post, I’m participating in TryHackMe’s Advent of Cyber 2. This is a 25 day long hacking event where new challenges are being posted each day. Better yet, these are all beginner-friendly challenges with helpful video tutorials provided if needed.
Being that it’s December 4th, I just completed the Day 4 challenge and while I know it’s a beginner event, I have to say I’m becoming more and more confident in my new knowledge.
To this point, there have been four different web exploitation challenges, all of which leveraged different tools and techniques to perform an exploit and capture the flag.
- Day 1 — session cookie hacking
- Day 2 — file uploads exploit
- Day 3 — brute-force attack
- Day 4 — fuzzing
The challenge I really wanted to write about was Day 2’s file uploads exploit because this to me was the most interesting one so far. Through this challenge, I learned some new things about URL parameters and how a site with a file upload form is like Christmas Morning to a hacker!
Here’s our mission:
After your heroic deeds regaining control of the control centre yesterday, Elf McSkidy has decided to give you an important job to do.
“We know we’ve been hacked, so we need a way to protect ourselves! The dev team have set up a website for the elves to upload pictures of any suspicious people hanging around the factory, but we need to make sure it’s secure before we add it to the public network. Please perform a security audit on the new server and make sure it’s unhackable!”
After navigating to the IP of the deployed web server in the challenge, it loaded a file upload form that would become our entry point. The first step in this exploit was to first understand what types of files the form accepted, which we determined via the page source. Through this view, it became apparent that the accepted file types were all images (.png, .jpg, and .jpeg).
What I learned in the reading of this challenge is that file upload pages can be easy paths to exploitation for one main reason: the implementation of file extension filtering. File extension filtering is how a website determines whether or not a file being uploaded is an accepted type or not. For example, if we only want users to be allowed to upload images, we would configure the site to reject anything that’s not a .png, .jpg, .jpeg, and any other image file types.
A common implementation of file extension filtering is, not surprisingly, to split the file name at the “.”. If we uploaded images to a website that leverages this type of extension filtering, it would parse the below file names out like such and determine they were all accepted extensions.
This is a risky implementation because it makes it easy for an attacker to upload a malicious payload disguised as a benign file, an image in our case.
In preparation for this exploit, I took an existing script that creates a reverse shell via Netcat, and renamed it so I could trick the website:
The above command took “php-reverse-shell.php” and copied it to my AttackBox’s Desktop with the name “shell.jpg.php”. Upon upload of this file to the website I was tasked with attacking, the site filtered on the first “.” in the file name and saw an extension of “.jpg.php”. Since .jpg matches one of the accepted file extensions, the file was uploaded successfully:
I was able to further confirm this by navigating to the /uploads directory of the website:
So now what? Well as I mentioned, this is a Netcat payload to create a reverse shell that connects back to my AttackBox. Part of performing this exploit was to modify the payload so it would initiate a connection to my AttackBox’s IP over port 443.
With my malicious payload uploaded to the website, all I had to do was start my Netcat listener on port 443 and execute the script. So I started the listener, and opened shell.jpg.php from the browser, as shown in the screenshot above, and I was in!
All that was required now was to capture the flag. With a quick “ls” I found flag.txt and was able to open and read it. No spoiler alerts here, you’ll have to capture the flag on your own!
I really enjoyed this challenge for a few reasons. First, the creators of this challenge did a fantastic job of explaining each topic covered, and then providing a task to help us put things into context. For example, the task covers GET parameters, which are parts of a URL that help to specify what the site needs to fetch.
In order to gain access to the website to continue on with the exploit, instead of being provided a username and password, we had to leverage a GET parameter of “ID” using an ID string provided.
While the task did explain GET parameters in detail, having to leverage that knowledge to gain access to the site is a great way to show it in action.
The other aspect of the challenge that really helped me was the fact that the payload had to be modified in order for it to work properly. This provided me the opportunity to open the script, review the lines of code, and make the required changes to the IP and port. While I can’t take credit for writing the exploit, I now have that additional exposure and a better understanding of using Netcat to perform a reverse shell exploit.
So hopefully you learned a thing or two in this write-up and maybe you’ll be motivated to go check it out for yourself. Although Advent of Cyber started on December 1st, the challenges remain open and are free to anyone, so I would definitely recommend signing up if you don’t have an account already.
I’d like to give TryHackMe and the CTF creators a shoutout for holding this event and creating such awesome tasks that are basic enough for beginners, but challenging enough to put my new skills to the test. I’m gaining new confidence with each daily CTF and I’m proving to myself I can learn red teaming!