TryHackMe Walkthrough Link: https://tryhackme.com/room/uploadvulns
This post contains a series of hints for the final challenge (Jewel) in the File Upload Vulnerabilities room on TryHackMe. With the information here it should be possible to completely walk through the final challenge — however, please take the time to try it for yourself, and use the hints one at a time as and when you get stuck.
/usr/share/wordlists/dirbuster-directory-list-2.3-medium.txtwordlist on the site to begin with. Whilst that runs, look at the source code of the homepage and see if you can find any static files being included…
/content. Try uploading a legitimate JPEG image (bearing in mind the size filter!), then use the custom wordlist in the room to find your image.
-xswitch will come in handy. Remember that you’re looking for a
/contents, but it’s just showing as text and not activating? Take another look at your Wappalyzer output, or read the
X-Powered-Byheader by intercepting a Burpsuite response.
/modulesdirectory — but your file is in
/content. Seeing that these are both top-level directories under the web-root, how would you go between them?
../content/<name-of-your-shell>.jpgto activate your reverse shell. Bear in mind that you’ll need to find the name of the shell first if you haven’t already.
gobuster dir -u http://jewel.uploadvulns.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt). You’ll see that there is a page called
/admin, and a directory called
/content. Files you upload will end up in
/contentwith a random three letter filename. Go to the homepage and use Burpsuite to remove the Client-Side Filter as demonstrated in task seven. The webserver is using Node.js (as the
X-Powered-Byheader will show you). Download a Node.js reverse shell from here, and fill it in with your own IP and chosen port. Call the shell “file.jpg” to get around the MIME filter on the server (or edit the MIME type with burpsuite after uploading). Next use gobuster with the wordlist in the room to fuzz for your upload:
gobuster dir -u http://jewel.uploadvulns.thm/content -w <path-to-wordlist> -x jpg— notice the
-x jpgswitch adding the .jpg file extension to each request. Have a look at each of those files in your web browser — one of them will be your shell. Remember the name of this file, and start a netcat listener on your own machine using your chosen port number; then go to the admin page and type in
../content/<name-of-file>— so, for example, it might be
../content/ABC.jpg. You should receive a reverse shell
You should hopefully now have completed Jewel. If you’re still struggling, please feel free to ask for help in the TryHackMe Discord.
The following video walkthrough is also available: