Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Academy Lab says secret is not correct?

Warren | Last updated: Jan 08, 2024 06:29AM UTC

Hello For the "Web shell upload via Content-Type restriction bypass" Lab I have uploaded a web shell and can read the secret file in /home/carlos but when I submit it with the solution button it says it is not correct. What do I do now? How do I reset the lab?

Ben, PortSwigger Agent | Last updated: Jan 09, 2024 09:01AM UTC

Hi Warren, I have just run through this particular lab and was able to solve it using the written solution so the lab does appear to be functioning as expected. Are you able to share what your exploit looks like and what response you are receiving when you send the GET /files/avatars/exploit.php request in Repeater? It might be easier to provide this information with screenshots so please feel free to send us an email at support@portswigger.net and include the screenshots from there (you cannot attach screenshots directly to forum posts).

Ishtiaq | Last updated: Mar 01, 2024 02:03AM UTC

I am able to read the contents of /home/carlos/secret, but when I submit the solution, it says incorrect. Do we need to solve the lab as per the solution provided? I try to upload a web shell bypassing the Content-Type header. I have RCE and I am sure the file content for secret is also correct but lab rejects when I submit the answer.

Ishtiaq | Last updated: Mar 01, 2024 02:14AM UTC

Apparently the file content is different when you use the lab provided solution! This is really confusing. I was able to solve using <?php echo file_get_contents('/home/carlos/secret'); ?> as the payload instead of <?php echo system($_GET['cmd']); ?> Even though the web shell gave me RCE and I was able to read /home/carlos/secret file content, the output of the file is different than using the file_get_content method!

Ben, PortSwigger Agent | Last updated: Mar 01, 2024 09:05AM UTC

Hi Ishtiaq, If you use the 'echo system' command then you will be outputting the secret twice. If you want to go down the route of being able to enter commands via your webshell have you looked into using the following instead: <?php system($_GET['cmd']);?>

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.