Webverselabs Hollow Run Bedding Challenge File Upload

Scenario :

Hollow Run Bedding was founded in 2019 by two cousins in Bird-in-Hand, PA, after a family wedding turned into a long conversation about how every mattress on the market either sagged or smelled. They build two models — a firmer flagship and a softer companion — sell direct, and ship with a 100-night trial. The review thread on each product page fills in steadily; verified buyers post a star rating, a paragraph, and a photo of the mattress in their bedroom. The form was scoped one evening at the kitchen table.

Solution :

We first need to create an account that we can use to enumerate the application further .

We see that we can leave reviews on different products .

The Shell.jpg contains our Webshell !

We first upload it as an image , then intercept it using burp and modify the extension to php to see if we can bypass the Frontend validation .

We see that our Shell is uploaded without any issue , now we just need to know where it is stored to be able to interact with it , From Burp History we do see a GET request for the newly created review :

Perfect , now we just need to visit the /reviews/13-shell.php endpoint to interact with our Web Shell .

Perfect , the flag is always located at /flag.txt .

That’s all for this challenge :)