Sometimes the blacklist is as follow:

$fileName = basename($_FILES["uploadFile"]["name"]);
$extension = pathinfo($fileName, PATHINFO_EXTENSION);
$blacklist = array('php', 'php7', 'phps');

if (in_array($extension, $blacklist)) {
    echo "File type not allowed";
    die();
}

<aside> 💡

Comparison above is case sensitive, we could try a mixed-case.

</aside>

We need to fuse possible extensions.

Writeup

We have to fuse allowed extensions.

First fuse using a extension list (https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Upload Insecure Files/Extension PHP/extensions.lst)

On the upload.

Then on the get.

Order on the response size for the get, the tinyer is 200 code and PHP code is interpreted, so response empty.

Then: http://94.237.48.51:30703/profile_images/test.phar?cmd=cat /flag.txt

→ HTB{1_c4n_n3v3r_b3_bl4ckl1573d}