This skills to be tested and needed to solve the final task of this walkthrough room are: reverse shell, Burp Suite, upload vulnerability, and client-side bypass extension filtering.
I am not writing a walkthrough for all the tasks because this is a “walkthrough” room. The only part that the creator wouldn’t hold your hand to get through the tasks is Tasks 11: Challenge. Shoutout to @MuirlandOracle for creating the room. You can access the room at https://tryhackme.com/room/uploadvulns
I was assigned a target IP address of 10.10.82.178. You will be assigned a different IP address. And if you did the tasks before the challenge task, then you know that you have to add your assigned IP address to the hosts file.
The final challenge is:
- Hack the machine and grab the flag from /var/www
- THM{N******************************2}
Steps:
- Visit the page by opening a web browser and type jewel.uploadvulns.thm
2. Check the page source code, and click on the javascript script to check and understand how the script handles uploading of a file:
3. There are three things that the script checks for the file upload to be successful. For this task, we will work on the “Magic Number“
4. Now, that we know it uses javascript, we have to prepare our reverse shell. You can find a NodeJS reverse shell scripts here. Copy the script and save it using “filename.jpg” format. And make sure that you set up the IP address using your VPN adapter’s IP, typically tun0, and a port number of your choice. Here’s mine:
5. Make sure that your Burp Suite is set up to intercept javascript client requests, because by default it is not set to do it. You can do this by starting Burp, then Proxy > Options and look for the “Intercept Client Requests” portion. Hit edit:
6. Delete the highlighted entry and hit OK:
7. Before we continue with exploiting the upload vulnerability, let’s check something else so we don’t have to guess which one is the reverse shell file that we will upload later. There will be pre-existing files with the same .jpg extension, and if you don’t know which one is your file, you will have to check each of the files to figure out which is yours. Right-click on the page and click Inspect Element.
8. Click on Style Editor and scroll all the way down to see the pre-existing files:
- Now, when you enumerate later to figure out which on is your file, you just have to compare the files from your enumeration to the list above.
9. This step is important so you don’t get the “Module does not exist” error when you trigger your reverse shell. You will have to clear your browser’s cached web content:
10. Now, time to turn on proxy on your browser, and make sure intercept is on on your Burp Suite.
11. Hit refresh on your browser then go to Burp Suite’s Intercept tab. Click Forward, until you reach the “upload” request script, then right-click on the empty space on Burp and click “Do intercept > Response to this request“
12. Click forward until you see the response from the server. Comment out the “Check Magic Number” by adding two forward slashes at the beginning of each line until the closing curly bracket:
13. Keep hitting “forward” until you don’t see any request to forward to the server anymore:
14. You can now close Burp Suite and undo the proxy settings you did on your browser. Check the homepage’s source code again and also the upload javascript to confirm if the “Magic Number” filter has been disabled successfully:
- Compare the images above. The first image is after we went through all of the previous steps involving Burp Suite to bypass client-side filtering.
15. Let us upload the reverse shell that we created in Step 4:
- The image above tells us that we have successfully bypassed the magic number filtering. If we did not disable the filter, our upload would have been unsuccessful because the filter will look for the file signatures for a jpg/jpeg files. Below is an image of a jpg/jpeg file signature:
16. Let’s enumerate the jewel.uploadvulns.thm/content to find our uploaded reverse shell. Type gobuster dir -u https://jewel.uploadvulns.thm/content -w UploadVulnsWordlist.txt -x jpg
- dir – to use directory/file brute-forcing mode
- -u – is the flag to tell gobuster that we are scanning a URL
- -w – is the flag to set the list of possible directory and file names
- -x – is the flag to just search for a specific file extension
- If you compare the image above to the one in Step 8, we can see that the file TRD.jpg was a new entry, meaning that was the reverse shell that we uploaded.
17. Start a netcat listener from your attack machine by typing nc -nlvp 8888 and make sure to match the port number of your listener to the port number you used in your reverse shell script.
18. Go to the admin page to execute our reverse shell. Open a browser and type jewel.uploadvulns.thm/admin and hit enter
19. Type ../content/TRD.jpg in the field and hit enter, then go back to the netcat listener that you set up to check if you got a shell:
20. Hack the machine and grab the flag from /var/www:
I hope this will help my fellow learners who are struggling with completing this challenge.
Please don’t forget to subscribe to my blog to get updates when new blog entry is uploaded.
N00b_H@ck3r 
Very good. I like the burpsuite section since that’s not a tool I ever use.
LikeLiked by 1 person
This is good. Keep of rollin’, boi!
LikeLiked by 1 person
on*
LikeLiked by 1 person
Hey, thank you for the comment! I will try and keep this going 🙂
LikeLike
I love u…fml i stay for 2,5h on this site…only for the fu….cache.
So… when i read u saying to clear cache, i clap my head…
Really thanks hahah
LikeLiked by 1 person
Haha, I am glad you found this of help 🙂
LikeLike