Level 11 - Level 12
Last updated
Last updated
This time we got an form with an option to upload images of type JPEG with a size limit of max 1KB.
Also we got the link to the source code.
Before digging into the source code, I tested the functionality of the application by uploading a sample image of size 1KB.
But the application responded that there was some error in uploading the file. I also tried to upload an PNG image and also of images with size higher than the mentioned limit, but it responded the same.
So I started to digging the source code. Let's breakdown the file upload process:
First, a random file name is generated during form submission with a hard coded extension .jpg.
Next, the makeRandomPathFromFilename function is triggered, which takes the directory name and the file name as an input. In our case the directory name is hard coded as upload and the file name is randomly generated by the genRandomString function. The value of the filename is retrieved from the incoming request data.
The makeRandomPathFromFilename function extracts the extension from the filename and passes it to another function makeRandomPath, which again generates a random filename using genRandomString function and appends it with the base directory and the extension, then checks whether the generated path already exists. If the generated path already exists, it again generates a new path else it returns the path.
After the successful generation of the target_path, the file size limit is verified and also it verifies that the file is successfully moved to another location successfully using the move_uploaded_file php function.
We can see that there is no validation is performed on the input file type or extension, so I tried to upload a simple php reverse shell:
The file was successfully uploaded, but the file extension has been modified since its hard coded in the code. We can change this by intercepting the upload request via burpsuite and change the extension from jpg to php.
The reverse shell was successfully uploaded with the extension php. Now let's try to execute commands via our reverse shell.
The reverse shell is working. Now let's retrieve the password by viewing the contents of /etc/natas_webpass/natas13.
