🎯Skills Assessment

🎯 Real-World Assessment: Complete attack chain combining multiple bypass techniques to achieve RCE

Challenge Overview

Objective: Exploit upload form to read the flag found at root directory "/"

Target: Contact form with image upload functionality that employs multiple security layers:

  • Extension validation (blacklist + whitelist)

  • Content-Type validation

  • MIME-Type validation

  • File size restrictions

Phase 1: Initial Reconnaissance

Discovery Process

1. Target Identification:

  • Navigate to website root page

  • Click on "Contact Us" section

  • Identify image upload functionality

2. Upload Behavior Analysis:

  • Images upload and display directly after clicking green icon

  • No need to click "SUBMIT" button

  • Files saved as base64 strings (upload directory hidden)

Key Observations

Upload Response Analysis:

Phase 2: Extension Bypass Discovery

Burp Suite Setup

1. Proxy Configuration:

  • Start Burp Suite

  • Set FoxyProxy to "BURP" profile

  • Intercept upload request (Ctrl + I)

2. Extension Fuzzing Setup:

Extension Discovery Results

Testing Method:

  1. Clear default payload markers

  2. Add payload marker: §.jpg§

  3. Uncheck "URL-encode these characters"

  4. Load PHP extensions wordlist

  5. Execute attack

Extensions Wordlist:

Discovered Allowed Extensions:

Analysis: These extensions bypass the blacklist but still trigger whitelist validation.

Phase 3: Content-Type Bypass Discovery

Content-Type Fuzzing

Payload Position:

Wordlist Preparation:

Successful Content-Types

Attack Results:

Critical Discovery: image/svg+xml is allowed, enabling XXE attacks!

Phase 4: Source Code Disclosure via XXE

SVG XXE Payload Creation

XXE File Creation:

Upload Process

1. Filename Bypass:

2. Burp Request Modification:

Source Code Analysis

Base64 Decoding:

Decoded upload.php:

Critical Intelligence Gathered

1. Upload Directory: ./user_feedback_submissions/ 2. File Naming Pattern: date('ymd') . '_' . basename($_FILES["uploadFile"]["name"]) 3. Validation Logic:

  • Blacklist: Blocks .ph(p|ps|tml) extensions

  • Whitelist: Requires [a-z]{2,3}g$ ending (explains why .phar works!)

  • Content-Type: Must match /image\/[a-z]{2,3}g/ (explains why svg+xml works!)

Phase 5: Web Shell Upload and Execution

Combined Attack Payload

Shell Creation:

Why This Works:

  • βœ… Extension: .svg satisfies whitelist regex [a-z]{2,3}g$

  • βœ… Content-Type: image/svg+xml matches type validation

  • βœ… Execution: .svg files processed as XML, PHP code executed

  • βœ… Bypass: .phar in middle bypasses blacklist (doesn't end with prohibited extension)

Upload Process

1. Frontend Bypass:

2. Burp Request Modification:

Command Execution

File Location Calculation:

Test Command Execution:

Expected Response:

Flag Retrieval

Final Command:

Flag Format: HTB{...}

Attack Chain Summary

Complete Methodology

1. πŸ” Reconnaissance

  • Identify upload functionality

  • Analyze upload behavior and responses

2. 🎯 Extension Discovery

  • Fuzz extensions with Burp Intruder

  • Identify bypasses (.phar, .pht, etc.)

3. πŸ“‹ Content-Type Analysis

  • Fuzz Content-Type headers

  • Discover allowed image types including svg+xml

4. πŸ“„ Source Code Disclosure

  • Create XXE SVG payload

  • Extract upload.php source code

  • Analyze validation logic and file paths

5. πŸ’£ Web Shell Deployment

  • Craft combined XXE+PHP payload

  • Bypass all validation layers

  • Upload executable web shell

6. ⚑ Command Execution

  • Calculate file location using date pattern

  • Execute system commands via URL parameter

  • Retrieve target flag file

Technical Analysis

Validation Bypass Techniques Used

1. Extension Filtering Bypass:

2. Content-Type Bypass:

3. File Execution Chain:

Vulnerability Root Causes

1. Insufficient Extension Validation:

  • Regex allows 3-character extensions ending in 'g'

  • Enables .svg uploads which can contain executable code

2. Weak Content-Type Validation:

  • Allows image/svg+xml which supports embedded scripts

  • SVG files processed as XML with PHP execution context

3. Direct File Access:

  • Uploaded files accessible via direct URL

  • No execution restrictions in upload directory

4. Predictable File Naming:

  • Date-based prefixes are easily calculated

  • File locations can be determined without disclosure

Defense Recommendations

Immediate Mitigations

1. Strict Extension Whitelist:

2. Enhanced Content Validation:

3. Execution Prevention:

4. File Access Control:

Long-term Security Measures

  1. Content Sanitization - Strip metadata and reprocess images

  2. Isolated Processing - Process uploads in sandboxed environment

  3. Random File Names - Use UUIDs instead of predictable patterns

  4. WAF Protection - Deploy web application firewall rules

  5. Regular Updates - Keep all file processing libraries current

Learning Outcomes

Skills Demonstrated

Technical Skills:

  • πŸ” Reconnaissance - Upload functionality discovery

  • 🎯 Fuzzing - Extension and Content-Type enumeration

  • πŸ›‘οΈ Bypass Techniques - Multi-layer validation circumvention

  • πŸ“„ XXE Exploitation - Source code disclosure via XML processing

  • πŸ’£ Web Shell Deployment - Combined payload crafting

  • ⚑ Command Execution - System-level access achievement

Methodology Skills:

  • Systematic Testing - Methodical validation layer analysis

  • Chain Exploitation - Combining multiple vulnerabilities

  • Pattern Recognition - Understanding validation logic flaws

  • Tool Integration - Burp Suite automation and manual testing

Key Takeaways

  1. Defense-in-Depth Failure - Multiple weak controls don't equal strong security

  2. Regex Complexity Risk - Complex patterns often contain logical flaws

  3. File Type Confusion - SVG files blur line between data and executable content

  4. Information Disclosure Impact - Source code access enables targeted attacks

  5. Chained Vulnerabilities - Individual weak controls compound into critical risk

This Skills Assessment perfectly demonstrates how real-world file upload vulnerabilities require combining multiple techniques to achieve successful exploitation.

PreviousPrevention & HardeningNextCommand Injection

Last updated