# Remote code execution via web shell upload

This is a writeup for a challenge from PortSwigger's [Web Security Academy](https://portswigger.net/web-security/). In this one, we will learn how a Remote Code Execution vulnerability can be identified and exploited and what an attacker can gain from it.

### **Objective**

> *This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.*

> *To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file* `/home/carlos/secret`. Submit this secret using the button provided in the lab banner.

> *You can log in to your own account using the following credentials:* `wiener:peter`

### **&gt; Solving the challenge**

We got the website, let's log in with `wiener:peter` as credentials:

![](https://telegra.ph/file/69334c870a9cfb5945b9b.png align="left")

Here we can find a file upload feature:

![](https://telegra.ph/file/c17574580aae305f54bdf.png align="left")

The server seems to expect any type of file, and not just images. As the objective says, let's try to upload some PHP code. I would like to spawn a web shell there, and my PHP web shell of choice is [p0wny](https://github.com/flozz/p0wny-shell/blob/master/shell.php).

We can upload it via the avatar upload form:

![](https://telegra.ph/file/8cc77f36b0342a46d4adb.png align="left")

Now we can navigate to the `/files/avatars/p0wny.php` to spawn a shell:

![](https://telegra.ph/file/00a7be36bbfde492f8862.png align="left")

Apparently, they don't want you to run any type of shell, so I couldn't make it work properly (which is weird, as the title clearly says "Remote code execution via web shell upload"). Same with a more classic reverse shell.

What a shame. Anyway, our goal is to read the flag.

We can create a lame PHP document with something like, as we know what exactly we should read:

`<?php echo file_get_contents('/home/carlos/secret'); ?>`

Upload your `lame.php`, and call it as we did with a shell.

Submit the secret to solve the lab:

![](https://telegra.ph/file/08e37423ba3fadec90cff.png align="left")
