Time to complete: ~10 hours
https://academy.hackthebox.com/achievement/402127/136
Learnt skills:
- Able to detect and exploit file upload forms with no validations or filters
- Can bypass client-side/front-end upload controls to upload arbitrary files
- Able to identify what extensions are not blacklisted and use them to gain code execution
- Able to identify what extensions are whitelisted and whether they can be bypassed to upload arbitrary files
- Able to detect type/content validations and bypass them using fake content headers and file signatures
- Can work with various types of limited file upload forms and attack them based on the file types they allow
- Can attempt various other attacks with file upload forms
- Able to report file upload vulnerabilities and their mitigations, along with recommendations on how to protect the web application against future attacks
