Dark Side 106: Web Exploitation

Katlyn Gallo
Dec 5, 2020 · 6 min read
Photo by Luca Bravo on Unsplash

As mentioned in a previous Dark Side post, I’m participating in TryHackMe’s Advent of Cyber 2. This is a 25 day long hacking event where new challenges are being posted each day. Better yet, these are all beginner-friendly challenges with helpful video tutorials provided if needed.

Being that it’s December 4th, I just completed the Day 4 challenge and while I know it’s a beginner event, I have to say I’m becoming more and more confident in my new knowledge.

To this point, there have been four different web exploitation challenges, all of which leveraged different tools and techniques to perform an exploit and capture the flag.

  • Day 1 — session cookie hacking
  • Day 2 — file uploads exploit
  • Day 3 — brute-force attack
  • Day 4 — fuzzing

The challenge I really wanted to write about was Day 2’s file uploads exploit because this to me was the most interesting one so far. Through this challenge, I learned some new things about URL parameters and how a site with a file upload form is like Christmas Morning to a hacker!

Here’s our mission:

After your heroic deeds regaining control of the control centre yesterday, Elf McSkidy has decided to give you an important job to do.

“We know we’ve been hacked, so we need a way to protect ourselves! The dev team have set up a website for the elves to upload pictures of any suspicious people hanging around the factory, but we need to make sure it’s secure before we add it to the public network. Please perform a security audit on the new server and make sure it’s unhackable!”

After navigating to the IP of the deployed web server in the challenge, it loaded a file upload form that would become our entry point. The first step in this exploit was to first understand what types of files the form accepted, which we determined via the page source. Through this view, it became apparent that the accepted file types were all images (.png, .jpg, and .jpeg).

What I learned in the reading of this challenge is that file upload pages can be easy paths to exploitation for one main reason: the implementation of file extension filtering. File extension filtering is how a website determines whether or not a file being uploaded is an accepted type or not. For example, if we only want users to be allowed to upload images, we would configure the site to reject anything that’s not a .png, .jpg, .jpeg, and any other image file types.

A common implementation of file extension filtering is, not surprisingly, to split the file name at the “.”. If we uploaded images to a website that leverages this type of extension filtering, it would parse the below file names out like such and determine they were all accepted extensions.

This is a risky implementation because it makes it easy for an attacker to upload a malicious payload disguised as a benign file, an image in our case.

In preparation for this exploit, I took an existing script that creates a reverse shell via Netcat, and renamed it so I could trick the website:

The above command took “php-reverse-shell.php” and copied it to my AttackBox’s Desktop with the name “shell.jpg.php”. Upon upload of this file to the website I was tasked with attacking, the site filtered on the first “.” in the file name and saw an extension of “.jpg.php”. Since .jpg matches one of the accepted file extensions, the file was uploaded successfully:

I was able to further confirm this by navigating to the /uploads directory of the website:

So now what? Well as I mentioned, this is a Netcat payload to create a reverse shell that connects back to my AttackBox. Part of performing this exploit was to modify the payload so it would initiate a connection to my AttackBox’s IP over port 443.

With my malicious payload uploaded to the website, all I had to do was start my Netcat listener on port 443 and execute the script. So I started the listener, and opened shell.jpg.php from the browser, as shown in the screenshot above, and I was in!

All that was required now was to capture the flag. With a quick “ls” I found flag.txt and was able to open and read it. No spoiler alerts here, you’ll have to capture the flag on your own!

Final Thoughts

I really enjoyed this challenge for a few reasons. First, the creators of this challenge did a fantastic job of explaining each topic covered, and then providing a task to help us put things into context. For example, the task covers GET parameters, which are parts of a URL that help to specify what the site needs to fetch.

In order to gain access to the website to continue on with the exploit, instead of being provided a username and password, we had to leverage a GET parameter of “ID” using an ID string provided.

While the task did explain GET parameters in detail, having to leverage that knowledge to gain access to the site is a great way to show it in action.

The other aspect of the challenge that really helped me was the fact that the payload had to be modified in order for it to work properly. This provided me the opportunity to open the script, review the lines of code, and make the required changes to the IP and port. While I can’t take credit for writing the exploit, I now have that additional exposure and a better understanding of using Netcat to perform a reverse shell exploit.

So hopefully you learned a thing or two in this write-up and maybe you’ll be motivated to go check it out for yourself. Although Advent of Cyber started on December 1st, the challenges remain open and are free to anyone, so I would definitely recommend signing up if you don’t have an account already.

I’d like to give TryHackMe and the CTF creators a shoutout for holding this event and creating such awesome tasks that are basic enough for beginners, but challenging enough to put my new skills to the test. I’m gaining new confidence with each daily CTF and I’m proving to myself I can learn red teaming!

Dark Roast Security

Dark Roast — because the dark web isn’t as good

Katlyn Gallo

Written by

Coffee lover, bookworm, and InfoSec enthusiast | https://www.buymeacoffee.com/katlyngallo

Dark Roast Security

Dark Roast Security is here to inspire, educate, and share ideas about InfoSec. This publication is a platform designed to bring people together that are passionate about sharing their knowledge or want to learn something new about Cybersecurity. Follow to join our community!

Katlyn Gallo

Written by

Coffee lover, bookworm, and InfoSec enthusiast | https://www.buymeacoffee.com/katlyngallo

Dark Roast Security

Dark Roast Security is here to inspire, educate, and share ideas about InfoSec. This publication is a platform designed to bring people together that are passionate about sharing their knowledge or want to learn something new about Cybersecurity. Follow to join our community!

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store