[Day 15] Secure Coding
December 15, 2022
Today was a different day for AOC as I learned about secure programming with file uploads. This is something interesting to me as it helps me understand different approaches the developers may make when creating file uploads and how they may be exploited. I would highly recommend checking out this room to understand what developers could use in a file upload.
Flags
What is the name given to file uploads that allow threat actors to upload any files that they want?
unrestricted
What is the title of the web application developed by Santa's freelancer?
santasidekick2
What is the value of the flag stored in the HR Elf's Documents directory?
THM{Naughty.File.Uploads.Can.Get.You.RCE}
Also, a side note in your meterpreter session you can use 'getsystem' for NT_Auth
What defence technique can be implemented to ensure that specific file types can be uploaded?
File Extension Validation
What defence technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?
File Renaming
What defence technique can be used to make sure malicious files that can hurt elves are not uploaded?
Malware Scanning
Last updated