Hi All,
I need support with the skill assessments about file upload in the HTB Academy.
- Using burp I intercepted the post request to upload.php;
- I send it to Repeater and i found that the extension “.php\x00.jpeg” is accepted by the server;
- I set the content type to image/jpeg and the magic byte to the same of a JPEG image;
- I create a body of the multipart which contains the following to exfiltrate the content of “upload.php”:
I receive a response 200 OK but the content is my request encoded in base 64 and not the content of the “upload.php” page encoded in base64.
Any ideas?
Thanks a lot.
Just finished this one last night, was up until 3am.
You’re going to hate it, but believe me it’ll make sense:
- try other extensions, you used in the previous module
- decode the base64 response, read the source code VERY carefully
Hope this helps!!
1 Like
I think you shouldn’t make sure that the file you’re uploading has the extension .php\x00.jpeg and is in the required jpeg image format. Does the file match the jpeg image? I know sometimes servers may reject files if their content doesn’t match their extension. BTW, one more moment. The server may be applying some restrictions on downloading files with some extensions or content. Check the server’s security policy 
1 Like
Can you be more specific? I’ve tryed all the possible extension for PHP from payload all the things repo.
Correct.
It is going to be in base64
so now decode that, and read the source code.
The source code will be the response.
Decode Response > read the source code (which will be in PHP ) > find the name of the flag
The flags name is being changed in the PHP code.
- hint: if the flag name is being changed, then then its safe to assume the file name is NOT flag.txt
As for the upload - just because 1 double extension bypasses - does not mean it will allow the upload.
Keep pushing, and like i said “You’ve used this extension in previous modules”
@AnnabelleBurnet makes good suggestions as well.
Keep pushing!! You got this, and we’re here to help!!
1 Like
i’m just happy to help with my little assumptions 
1 Like
Hi,
Finally I was able to leak the content of “upload.php”. My next step was to upload a php shell. So I’d uploaded it.
Now, I cannot access the web shell because I’m not able to found the correct file path.
I’ve read the leaked PHP code very well:
My idea is that file is at:
It doesn’t work. Any ideas?
1 Like
You’re RIGGGGGGGGHT there.
Think. How did you execute commands on the previous module??
Url= path.extension=[ what do you put here?? ]
We’ll get you through this bud, you’re so close. Don’t worry, i understand the frustration. I’ll say you’re on the right direction. You just need to provide a way you can execute commands to the url, and don’t forget, if you do it from the client, you have to url encode the commands.
You’re soooooooo close.
Hi, I’m stuck for several days now… I can’t decode source code. Can some1 help me with that?
I was able to find the flag after a DAY of searching, here are the KEY tips:
First, the correct php extension (you should’ve used it in one of the previous sections before) also the content type.
But even with the correct php extension it still gave me ‘Only images are allowed’ in burp
so try find the correct File signature/Magic byte that matches the payload file until it doesn’t give you the same message.
and MOST IMPORTANTLY like @CodeWidthMe suggested, read the source code VERY carefully.
and don’t overthink it guys ! if you still need help you can talk to me on discord: venz01