Lab can be found at: https://webverselabs-pro.com/
Land on Bill’s Steak House and you’ll see several options. Head over to the reviews:
You’ll see, it’s RCE time!
You can’t see it here but the page was filtering and only allowing jpeg etc. Simply capturing in burpsuite and bypassing the client-side checks were enough. phtml gets rendered a html, so find a webshell online and use it (I crafted my own using a basic cmd shell in a html wrapper):
You’ll now be able to execute code by going to /uploads/terminal.phtml (in my case, your URL will differ depending on your filename) and I could grab the flag from /home/billy/flag.txt:
Thanks for following along!
