Server-Side Filtering: File Extensions

Go to annex.uploadvulns.thm

Try to upload the reverse shell script with various file extensions.
.png works
.php doesn't
.phtml doesn't
.php3 doesn't
.php4 doesn't
.php5 works! Upload script with .php5 file extension
Make sure netcat is listening: nc -lvnp 1234
Run gobuster to find where the file could be stored
Find the directory, run the script, use the shell, find the flag

Server-Side Filtering: Magic Numbers

Go to magic.uploadvulns.thm

Enumerate what file types work and what types don't.
Search online for the magic number for the file type that works
Use the Linux file command to check the type of our payload file
Edit the file and add as many random characters to the beginning as the byte length of the target magic number
Open the file in hex editor, change the first bytes to the target magic number.
Recheck file type to make sure it worked
Upload file successfully
Open netcat listener
Run gobuster to find the directory name where the file could be located
Find the directory, run the script, use the shell, find the flag.