In this post, we’re going to solve the PortSwigger lab: “Web shell upload via obfuscated file extension”.

PortSwigger lab start page

To solve the lab, we need to upload a PHP file that reads and displays the contents of the /home/carlos/secret file. Since to demonstrate that we’ve completed the lab, we must enter the contents of this file.

Additionally, the server is configured to reject certain extensions.

In this case, the lab itself provides us with an account to log in, so let’s do it:

Login form

Provided access credentials

Once we’ve logged in, we find ourselves on the account profile:

User profile

Once we’re on the profile, as we can see, we have a file upload field to update our account’s avatar. Let’s try to take advantage of this to upload the following file:

PHP code to read the secret file

First of all, let’s prepare Burp Suite to intercept the requests:

Proxy configuration in browser

Activating interception in Burp Suite

Once we have this part configured, we upload the file:

File selection for upload

File upload confirmation

Processing file upload

Burp Suite will intercept the upload request:

Intercepted request in Burp Suite

To better handle the file upload process, we’re going to send the request to the repeater by pressing Ctrl R:

Request sent to Burp Suite Repeater

As we can see, in this case, when clicking Send, we see in the server’s response that only JPG and PNG files are allowed.

So the idea is going to be to introduce a double extension along with a null byte to see if we can bypass this restriction:

Extension modification with null byte

Successful server response

When sending the request, we see how in the response, the file has been uploaded, not only that, but thanks to the null byte, we’ve gotten rid of the second extension we had put .jpg. So with this done, let’s view the response in the browser:

Option to view response in browser

Selection to show response in browser

Response rendered in browser

Successful upload confirmation

We’re no longer going to use Burp Suite, so we disable the proxy:

Disabling the proxy

Once disabled, we go back to our profile:

Accessing user profile

Profile view with updated avatar

As we can see, the avatar has been set, however, it appears that an error occurred while loading the image. Probably because it’s trying to load our PHP file as if it were an image, and that’s why it fails. Let’s access the direct path of “the image” by right-clicking:

Context menu to open image

Error accessing with incorrect extension

It seems to give us a problem, however, if we look at the URL, it’s trying to load the file readSecret.php%00.jpg, when in reality, the resulting file was readSecret.php. So we change the URL to access this last file:

Successful execution of PHP code

And in this way, we access the PHP code and it’s interpreted, thus managing to read the secret file.

Having read it, we simply submit the solution:

Form to submit the solution

Submitted solution confirmation

And in this way, we complete the lab:

Lab completed successfully

Final confirmation message

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page