[Day 15] Secure Coding

December 15, 2022

Today was a different day for AOC as I learned about secure programming with file uploads. This is something interesting to me as it helps me understand different approaches the developers may make when creating file uploads and how they may be exploited. I would highly recommend checking out this room to understand what developers could use in a file upload.

Flags

What is the name given to file uploads that allow threat actors to upload any files that they want?

unrestricted

What is the title of the web application developed by Santa's freelancer?

santasidekick2

What is the value of the flag stored in the HR Elf's Documents directory?

THM{Naughty.File.Uploads.Can.Get.You.RCE}

Also, a side note in your meterpreter session you can use 'getsystem' for NT_Auth

What defence technique can be implemented to ensure that specific file types can be uploaded?

File Extension Validation

What defence technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?

File Renaming

What defence technique can be used to make sure malicious files that can hurt elves are not uploaded?

Malware Scanning