In this post, we’ll be solving the PortSwigger lab: “Remote Code Execution via Web Shell Upload”.

PortSwigger lab home page

To solve the lab, we need to upload a PHP file that reads and displays the contents of the /home/carlos/secret file. Since to demonstrate that we’ve completed the lab, we must submit the contents of this file.

In this case, the lab itself provides us with an account to log in, so let’s do that:

Login form

Provided access credentials

Once we’ve logged in, we’re presented with the account profile:

User profile

As we can see, we have an option to upload a file, specifically it appears to be for updating the profile avatar. Let’s try to take advantage of this option to upload the following PHP file:

PHP code to read the secret file

This code simply reads the /home/carlos/secret file using the cat command.

File selection for upload

Confirmation of selected file

Once selected, we click Upload, and we’ll be redirected to a page that tells us the file has been successfully uploaded:

Success message when uploading the file

In this case there is no sanitization whatsoever

So now, if we look at the profile, we can see that the avatar has changed and is now showing an error that the image isn’t loading properly.

Avatar with loading error

By right-clicking on it, we can go directly to the image path to see if it’s our PHP file:

Context menu to open image

Successful PHP file execution

Indeed, the PHP file we uploaded has been stored as the avatar file, that’s why it wasn’t loading on the profile, it was trying to load an image when it wasn’t one. By visiting the PHP file, the code we placed has been interpreted, and we successfully read the secret file.

Having read this file, we simply submit the answer:

Form to submit the solution

Submitted solution confirmation

And this way, we complete the lab:

Lab completed successfully

Final confirmation message

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page