Tags: upload bypass
Rating: 3.0
Homepage greets us with a login screen.
We can create an account and then login in.
It says we don't have permissions to edit our profile but if we look at the cookie, we can see it's simply base64 encoded so we can decode it, edit it and base64 encode it.
We now have an Admin approved cookie
eyJ1c2VybmFtZSI6ImFkbWluIiwiYXBwcm92ZWQiOnRydWV9
With some experimentation, we notice we also have Reflected XSS with the username field.
XSS cookie
eyJ1c2VybmFtZSI6IjxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0PiIsImFwcHJvdmVkIjp0cnVlfQ==
However this is a rabbit hole because XSS can't get us a foothold as stated in the challenge description.
The profile picture didn't change when I changed the cookie with Admin and True. So I went back to leaving it on my username but approved set to true.
eyJ1c2VybmFtZSI6ImxhenkiLCJhcHByb3ZlZCI6dHJ1ZX0=
This now allows for the profile picture to change. However we can still only upload PNG files. We need to bypass that.
Added a double extension, and the PNG header along with some content from a png file. Then added a php shell. I listed files in root and saw the flag so I read it using cat.
![image](https://user-images.githubusercontent.com/80063008/144763419-b4c24e73-fdef-4b6b-b2c2-22a39c2bf228.png)
![image](https://user-images.githubusercontent.com/80063008/144763421-c410e4be-af5b-4b2d-aa70-6a5e6d7075d6.png)
HTB{br4k3_au7hs_g3t_5h3lls}
With the payload below, I could also get a shell on the box even if one isn't really required once you have command execution.
![image](https://user-images.githubusercontent.com/80063008/144763429-d2a951d6-6085-47d4-a3c0-19023d95f4b2.png)
![image](https://user-images.githubusercontent.com/80063008/144763432-82d217b7-98ed-4be0-ae6f-46d38049b8f6.png)