Logged in to the Web Application using the given credentials :
We uploaded a image to the avatar and got the below response :
We were also able to access the file in the URL/files/avatars/:
We replaced the POST request when setting the avatar with a simple php web shell :
And we got a response saying the file was uploaded:
Still when accessing the file , without executing the file got downloaded :
We even tried this method :
Still we didn’t get a solid output.
We checked the solution and was able to solve the lab :
We URL Encoded the ../ and was able to upload the PHP webshell, Outside the /avatar
directory that renders images.
We got the response also as the file was uploaded to avatars/../image.php :
We were finally able to get command execution on the server and solve the lab :
